rec: An opt-out NSEC3 is a valid (insecure) proof for an expanded wildcard

author Remi Gacogne <remi.gacogne@powerdns.com>

Fri, 5 Mar 2021 16:24:04 +0000 (17:24 +0100)

committer Remi Gacogne <remi.gacogne@powerdns.com>

Fri, 5 Mar 2021 16:24:04 +0000 (17:24 +0100)
author Remi Gacogne <remi.gacogne@powerdns.com>
Fri, 5 Mar 2021 16:24:04 +0000 (17:24 +0100)
committer Remi Gacogne <remi.gacogne@powerdns.com>
Fri, 5 Mar 2021 16:24:04 +0000 (17:24 +0100)
diff --git a/pdns/syncres.cc b/pdns/syncres.cc

index ef093d0a277817cd1f36fb3e4a7bd59d0c930f0e..0c55075cd053f6db7c15ff60858e383abfd5120e 100644 (file)
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -3509,7 +3509,7 @@ bool SyncRes::processRecords(const std::string& prefix, const DNSName& qname, co
              dState res = getDenial(csp, qname, ne.d_qtype.getCode(), false, false, false, wildcardLabelsCount);
              if (res != dState::NXDOMAIN) {
                vState st = vState::BogusInvalidDenial;
-              if (res == dState::INSECURE) {
+              if (res == dState::INSECURE || res == dState::OPTOUT) {
                  /* Some part could not be validated, for example a NSEC3 record with a too large number of iterations,
                     this is not enough to warrant a Bogus, but go Insecure. */
                  st = vState::Insecure;
author	Remi Gacogne <remi.gacogne@powerdns.com>
	Fri, 5 Mar 2021 16:24:04 +0000 (17:24 +0100)
committer	Remi Gacogne <remi.gacogne@powerdns.com>
	Fri, 5 Mar 2021 16:24:04 +0000 (17:24 +0100)