+1 March 2011: Wouter
+ - Fix no ADflag for NXDOMAIN in NSEC3 optout. And wildcard in optout.
+
24 February 2011: Wouter
- bug #361: Fix, time.elapsed variable not reset with stats_noreset.
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
-REPLY QR RD RA AD NXDOMAIN
+REPLY QR RD RA NXDOMAIN
SECTION QUESTION
a.c.x.w.example. IN A
SECTION ANSWER
a.c.x.w.example. IN A
SECTION ANSWER
SECTION AUTHORITY
+; example. SOA ns1.example. bugs.x.w.example. 1 3600 300 ( 3600000 3600 )
+; example. RRSIG SOA 7 1 3600 20150420235959 20051021000000 ( 40430 example. Hu25UIyNPmvPIVBrldN+9Mlp9Zql39qaUd8i q4ZLlYWfUUbbAS41pG+68z81q1xhkYAcEyHd VI2LmKusbZsT0Q== )
+; 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd ( 2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS SOA NSEC3PARAM RRSIG )
+; 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 ( 40430 example. OSgWSm26B+cS+dDL8b5QrWr/dEWhtCsKlwKL IBHYH6blRxK9rC0bMJPwQ4mLIuw85H2EY762 BOCXJZMnpuwhpA== )
+; b4um86eghhds6nea196smvmlo4ors995.example. NSEC3 1 1 12 aabbccdd ( gjeqe526plbf1g8mklp59enfd789njgi MX RRSIG )
+; b4um86eghhds6nea196smvmlo4ors995.example. RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 ( 40430 example. ZkPG3M32lmoHM6pa3D6gZFGB/rhL//Bs3Omh 5u4m/CUiwtblEVOaAKKZd7S959OeiX43aLX3 pOv0TSTyiTxIZg== )
SECTION ADDITIONAL
ENTRY_END
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
-REPLY QR RD RA AD NOERROR
+REPLY QR RD RA NOERROR
SECTION QUESTION
a.z.w.example. IN MX
SECTION ANSWER
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
-REPLY QR RD RA AD NOERROR
+REPLY QR RD RA NOERROR
SECTION QUESTION
www.sub.example.com. IN DS
SECTION ANSWER
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
-REPLY QR RD RA AD NOERROR
+REPLY QR RD RA NOERROR
SECTION QUESTION
www.sub.example.com. IN A
SECTION ANSWER
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
-REPLY QR RD RA AD NXDOMAIN
+REPLY QR RD RA NXDOMAIN
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
jg19n32806c832kijdnglq8p9m2r5mdj.example.com. 3600 IN RRSIG NSEC3 7 3 3600 20070926134150 20070829134150 57024 example.com. f7ZSCahAuKOLXquM0jpdU6I9AX31CgGicRiB3aU4jvqQp/EygbCNn5kfpyXY0FvZvzggpl8naXSStOPN9dy3bb0NwGQkJcYD94NEw307T8uEunOvx1ug5TuakBAwqjY8xKM3xab3LnWYRtx4zdln/3ZDHvBUwfzkxUZrzeKjpiI= ;{id = 57024}
SECTION ADDITIONAL
ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NXDOMAIN
+SECTION QUESTION
+rub.example.com. IN A
+SECTION ANSWER
+SECTION AUTHORITY
+example.com. IN SOA ns.example.com. noc.example.com. 2009310622 1800 900 604800 86400
+example.com. 3600 IN RRSIG SOA 7 2 3600 20070926134150 20070829134150 57024 example.com. HlyER7bYPiSJ9jdjjRBucQexYr932Oor1TvxSLPWw5fuWvr/fFitKVnLqC+lqBIeOby44KiDr0rIk+ZqYjWWKNjaLm5wMfhQzbsAgGTQxmO07jnYOGQG9SI6DSbR9GJdZ7imu5sx5oo5dze73MxgLMZIethGaFMkktYN53+AzG0= ;{id = 57024}
+
+; optout
+; example.com. -> onib9mgub9h0rml3cdf5bgrj59dkjhvk.
+; rub.example.com. -> c2bqk3tb4foaenfbp1v0pdk6mor3r7vo.
+; *.example.com. -> 4f3cnt8cu22tngec382jj4gde4rb47ub.
+onib9mgub9h0rml3cdf5bgrj59dkjhvk.example.com. NSEC3 1 1 0 - pnib9mgub9h0rml3cdf5bgrj59dkjhvk NS SOA RRSIG DNSKEY NSEC3PARAM
+22bqk3tb4foaenfbp1v0pdk6mor3r7vo.example.com. NSEC3 1 1 0 - f2bqk3tb4foaenfbp1v0pdk6mor3r7vo NS RRSIG
+
+onib9mgub9h0rml3cdf5bgrj59dkjhvk.example.com. 3600 IN RRSIG NSEC3 7 3 3600 20070926134150 20070829134150 57024 example.com. jHrF+lnyRL1LE/Bwz6C+jZg3E/2qQkVSboGxya6iX71v0zA3eUsob9m9l3gHNlhwhyahbamHUKx+OMvtYuzRa+RMv4ObuLRIt8StdixeXaUU+rx7C2qCKOFsa5q4HzK4bLYPfyb5T9w67HbzHPLEllXPA7tghzyzCM9qBtbvwK4= ;{id = 57024}
+22bqk3tb4foaenfbp1v0pdk6mor3r7vo.example.com. 3600 IN RRSIG NSEC3 7 3 3600 20070926134150 20070829134150 57024 example.com. jk6EYU9qTrmNeeKuQRG7iKyfNJnBt45MToPVpAQ+LoGDC3muy4bkWeKspj68cN9E5wNijfmm1eFK3khSSEnM50mfJbpiwlbKgL0VZz33Zn+Wu8b7sTtdDwDH7MUBLRwHeb7W+NtQIEXPLs4Z3BXHzAXy5ZpSjQ3PJZn6zBx4/dw= ;{id = 57024}
+SECTION ADDITIONAL
+ENTRY_END
RANGE_END
STEP 1 QUERY
SECTION ADDITIONAL
ENTRY_END
+STEP 40 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+rub.example.com. IN A
+ENTRY_END
+
+; recursion happens here.
+; no AD flag here because of RFC5155 9.2 section.
+; also for NXDOMAIN
+STEP 50 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NXDOMAIN
+SECTION QUESTION
+rub.example.com. IN A
+SECTION ANSWER
+SECTION AUTHORITY
+example.com. IN SOA ns.example.com. noc.example.com. 2009310622 1800 900 604800 86400
+example.com. 3600 IN RRSIG SOA 7 2 3600 20070926134150 20070829134150 57024 example.com. HlyER7bYPiSJ9jdjjRBucQexYr932Oor1TvxSLPWw5fuWvr/fFitKVnLqC+lqBIeOby44KiDr0rIk+ZqYjWWKNjaLm5wMfhQzbsAgGTQxmO07jnYOGQG9SI6DSbR9GJdZ7imu5sx5oo5dze73MxgLMZIethGaFMkktYN53+AzG0= ;{id = 57024}
+onib9mgub9h0rml3cdf5bgrj59dkjhvk.example.com. NSEC3 1 1 0 - pnib9mgub9h0rml3cdf5bgrj59dkjhvk NS SOA RRSIG DNSKEY NSEC3PARAM
+onib9mgub9h0rml3cdf5bgrj59dkjhvk.example.com. 3600 IN RRSIG NSEC3 7 3 3600 20070926134150 20070829134150 57024 example.com. jHrF+lnyRL1LE/Bwz6C+jZg3E/2qQkVSboGxya6iX71v0zA3eUsob9m9l3gHNlhwhyahbamHUKx+OMvtYuzRa+RMv4ObuLRIt8StdixeXaUU+rx7C2qCKOFsa5q4HzK4bLYPfyb5T9w67HbzHPLEllXPA7tghzyzCM9qBtbvwK4= ;{id = 57024}
+22bqk3tb4foaenfbp1v0pdk6mor3r7vo.example.com. NSEC3 1 1 0 - f2bqk3tb4foaenfbp1v0pdk6mor3r7vo NS RRSIG
+22bqk3tb4foaenfbp1v0pdk6mor3r7vo.example.com. 3600 IN RRSIG NSEC3 7 3 3600 20070926134150 20070829134150 57024 example.com. jk6EYU9qTrmNeeKuQRG7iKyfNJnBt45MToPVpAQ+LoGDC3muy4bkWeKspj68cN9E5wNijfmm1eFK3khSSEnM50mfJbpiwlbKgL0VZz33Zn+Wu8b7sTtdDwDH7MUBLRwHeb7W+NtQIEXPLs4Z3BXHzAXy5ZpSjQ3PJZn6zBx4/dw= ;{id = 57024}
+SECTION ADDITIONAL
+ENTRY_END
+
SCENARIO_END
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
-REPLY QR RD RA AD NOERROR
+REPLY QR RD RA NOERROR
SECTION QUESTION
www.example.com. IN ANY
SECTION ANSWER
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
-REPLY QR RD RA AD NXDOMAIN
+REPLY QR RD RA NXDOMAIN
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
-REPLY QR RD RA AD NXDOMAIN
+REPLY QR RD RA NXDOMAIN
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
"that the applicable wildcard did not exist.");
return sec_status_bogus;
}
+
+ if(ce.nc_rrset && nsec3_has_optout(ce.nc_rrset, ce.nc_rr)) {
+ verbose(VERB_ALGO, "nsec3 nameerror proof: nc has optout");
+ return sec_status_insecure;
+ }
return sec_status_secure;
}
"NSEC3 that covered the next closer name.");
return sec_status_bogus;
}
+ if(ce.nc_rrset && nsec3_has_optout(ce.nc_rrset, ce.nc_rr)) {
+ verbose(VERB_ALGO, "proveWildcard: NSEC3 optout");
+ return sec_status_insecure;
+ }
return sec_status_secure;
}
struct ub_packed_rrset_key** list, size_t num,
struct query_info* qinfo, struct key_entry_key* kkey, int* nodata)
{
- enum sec_status sec;
+ enum sec_status sec, secnx;
rbtree_t ct;
struct nsec3_filter flt;
*nodata = 0;
/* try nxdomain and nodata after another, while keeping the
* hash cache intact */
- sec = nsec3_do_prove_nameerror(env, &flt, &ct, qinfo);
- if(sec==sec_status_secure)
+ secnx = nsec3_do_prove_nameerror(env, &flt, &ct, qinfo);
+ if(secnx==sec_status_secure)
return sec_status_secure;
sec = nsec3_do_prove_nodata(env, &flt, &ct, qinfo);
if(sec==sec_status_secure) {
*nodata = 1;
+ } else if(sec == sec_status_insecure) {
+ *nodata = 1;
+ } else if(secnx == sec_status_insecure) {
+ sec = sec_status_insecure;
}
return sec;
}
projects / thirdparty / unbound.git / commitdiff
