only check the bit map

diff --git a/bin/tests/system/verify/clean.sh b/bin/tests/system/verify/clean.sh
index 7479b86edae246369985d8987934fed265384fae..74c9be2c2c7da2f9792bee62c6c8f763d6dfc936 100644 (file)
--- a/bin/tests/system/verify/clean.sh
+++ b/bin/tests/system/verify/clean.sh
@@ -7,12 +7,11 @@
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
-rm -f zones/*.good
-rm -f zones/*.good.tmp
+rm -f ns*/named.lock
+rm -f verify.out*
 rm -f zones/*.bad
-rm -f zones/*.bad.tmp
+rm -f zones/*.good
 rm -f zones/*.out*
-rm -f zones/dsset-*
+rm -f zones/*.tmp
 rm -f zones/K*
-rm -f verify.out*
-rm -f ns*/named.lock
+rm -f zones/dsset-*

diff --git a/bin/tests/system/verify/zones/genzones.sh b/bin/tests/system/verify/zones/genzones.sh
index 1f8a2ebf3a5a723b2b35dec28569cf3cb57b8795..3cd623ca70f102a89d539f9422434d0efe65f010 100644 (file)
--- a/bin/tests/system/verify/zones/genzones.sh
+++ b/bin/tests/system/verify/zones/genzones.sh
@@ -75,6 +75,28 @@ cp unsigned.db ${file}.tmp
 echo "@ DNAME data" >> ${file}.tmp
 $SIGNER -3 - -SP -o ${zone} -f ${file} ${file}.tmp > s.out$n 2>&1 || dumpit s.out$n
 
+#
+# generate an NSEC record like
+#      aba NSEC FOO ...
+# then downcase all the FOO records so the next name in the database
+# becomes foo when the zone is loaded.
+#
+setup nsec-next-name-case-mismatch good
+ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
+zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg2.out$n` || dumpit kg2.out$n
+cat << EOF > ${zone}.tmp
+\$TTL 0
+@ IN SOA  foo . ( 1 28800 7200 604800 1800 )
+@ NS foo
+\$include $ksk.key
+\$include $zsk.key
+FOO AAAA ::1
+FOO A 127.0.0.2
+aba CNAME FOO
+EOF
+$SIGNER -zP -o ${zone} -f ${file}.tmp ${zone}.tmp > s.out$n 2>&1 || dumpit s.out$n
+sed 's/^FOO\./foo\./' < ${file}.tmp > ${file}
+
 # A set of zones with only DNSKEY records.
 setup zsk-only.dnskeyonly bad
 key1=`$KEYGEN -a rsasha256 ${zone} 2>kg.out` || dumpit kg.out$n

diff --git a/lib/dns/zoneverify.c b/lib/dns/zoneverify.c
index 3cf5790cdd58769e99f243ea26f94e0de1bc06a7..c3b81bc4322b8ef3d1587c7af0b7345f818690c5 100644 (file)
--- a/lib/dns/zoneverify.c
+++ b/lib/dns/zoneverify.c
@@ -219,6 +219,21 @@ goodsig(const vctx_t *vctx, dns_rdata_t *sigrdata, const dns_name_t *name,
        return (ISC_FALSE);
 }
 
+static isc_boolean_t
+nsec_bitmap_equal(dns_rdata_nsec_t *nsec, dns_rdata_t *rdata) {
+       isc_result_t result;
+       dns_rdata_nsec_t tmpnsec;
+
+       result = dns_rdata_tostruct(rdata, &tmpnsec, NULL);
+       RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+       if (nsec->len != tmpnsec.len ||
+           memcmp(nsec->typebits, tmpnsec.typebits, nsec->len) != 0) {
+               return (ISC_FALSE);
+       }
+       return (ISC_TRUE);
+}
+
 static isc_result_t
 verifynsec(const vctx_t *vctx, const dns_name_t *name, dns_dbnode_t *node,
           const dns_name_t *nextname, isc_result_t *vresult)
@@ -256,6 +271,7 @@ verifynsec(const vctx_t *vctx, const dns_name_t *name, dns_dbnode_t *node,
        dns_rdataset_current(&rdataset, &rdata);
        result = dns_rdata_tostruct(&rdata, &nsec, NULL);
        RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
        /* Check next name is consistent */
        if (!dns_name_equal(&nsec.next, nextname)) {
                dns_name_format(name, namebuf, sizeof(namebuf));
@@ -268,6 +284,7 @@ verifynsec(const vctx_t *vctx, const dns_name_t *name, dns_dbnode_t *node,
                *vresult = ISC_R_FAILURE;
                goto done;
        }
+
        /* Check bit map is consistent */
        result = dns_nsec_buildrdata(vctx->db, vctx->ver, node, nextname,
                                     buffer, &tmprdata);
@@ -276,7 +293,7 @@ verifynsec(const vctx_t *vctx, const dns_name_t *name, dns_dbnode_t *node,
                                     isc_result_totext(result));
                goto done;
        }
-       if (dns_rdata_compare(&rdata, &tmprdata) != 0) {
+       if (!nsec_bitmap_equal(&nsec, &tmprdata)) {
                dns_name_format(name, namebuf, sizeof(namebuf));
                zoneverify_log_error(vctx,
                                     "Bad NSEC record for %s, bit map "