layer/validate: fixed possible bug in NSEC checking code

diff --git a/lib/dnssec/nsec.c b/lib/dnssec/nsec.c
index 145817a22ca85a87d95259b01f9c710d74ea2cb7..1ea557684b2b6a56bd2eed6c095002e44843b7a4 100644 (file)
--- a/lib/dnssec/nsec.c
+++ b/lib/dnssec/nsec.c
@@ -76,8 +76,8 @@ static int nsec_nonamematch(const knot_rrset_t *nsec, const knot_dname_t *sname)
 
 #define FLG_NOEXIST_RRTYPE 0x01 /**< <SNAME, SCLASS> exists, <SNAME, SCLASS, STYPE> does not exist. */
 #define FLG_NOEXIST_RRSET  0x02 /**< <SNAME, SCLASS> does not exist. */
-#define FLG_NOEXIST_WILDCARD 0x03 /**< No wildcard covering <SNAME, SCLASS> exists. */
-#define FLG_NOEXIST_CLOSER 0x04 /**< Wildcard covering <SNAME, SCLASS> exists, but doesn't match STYPE. */
+#define FLG_NOEXIST_WILDCARD 0x04 /**< No wildcard covering <SNAME, SCLASS> exists. */
+#define FLG_NOEXIST_CLOSER 0x08 /**< Wildcard covering <SNAME, SCLASS> exists, but doesn't match STYPE. */
 
 /**
  * According to set flags determine whether authenticated denial of existence has been proven.

diff --git a/lib/layer/validate.c b/lib/layer/validate.c
index 04e8279ab0e16f0effaa6c2eed592811eb58b997..3df24cd420c0365690fa714bbbbb5b2317bd32d9 100644 (file)
--- a/lib/layer/validate.c
+++ b/lib/layer/validate.c
@@ -343,7 +343,7 @@ static int validate(knot_layer_t *ctx, knot_pkt_t *pkt)
        if (knot_wire_get_rcode(pkt->wire) == KNOT_RCODE_NXDOMAIN) {
 #warning TODO: validate NSECx proof, RRSIGs will be checked later if it matches
                if (!has_nsec3) {
-                       ret = kr_nsec_existence_denial(pkt, KNOT_AUTHORITY, qry->sname, qry->stype, &req->pool);
+                       ret = kr_nsec_name_error_response_check(pkt, KNOT_AUTHORITY, qry->sname, &req->pool);
                } else {
                        ret = kr_nsec3_name_error_response_check(pkt, KNOT_AUTHORITY, qry->sname, &req->pool);
                        /* TODO */