- Fix #716: nodata proof with empty non-terminals and wildcards.

author Wouter Wijngaards <wouter@nlnetlabs.nl>

Thu, 29 Oct 2015 13:08:15 +0000 (13:08 +0000)

committer Wouter Wijngaards <wouter@nlnetlabs.nl>

Thu, 29 Oct 2015 13:08:15 +0000 (13:08 +0000)
author Wouter Wijngaards <wouter@nlnetlabs.nl>
Thu, 29 Oct 2015 13:08:15 +0000 (13:08 +0000)
committer Wouter Wijngaards <wouter@nlnetlabs.nl>
Thu, 29 Oct 2015 13:08:15 +0000 (13:08 +0000)
diff --git a/doc/Changelog b/doc/Changelog

index be8e50326ef8552ac3a8922bfa9cd3bde4f672a3..a1b0e66c27af5357a8dde51a8f45da81c68db6f4 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,5 +1,6 @@
  29 October 2015: Wouter
         - patch from Doug Hogan for SSL_OP_NO_SSLvx options.
+       - Fix #716: nodata proof with empty non-terminals and wildcards.
  
  28 October 2015: Wouter
         - Fix checklock testcode for linux threads on exit.
diff --git a/validator/val_nsec.c b/validator/val_nsec.c

index bdfe3c8fa18f306844d36bfc3ea4ee39a86e1ab0..58c571a3dd721904da06be39aeb66f599f0e00bc 100644 (file)
--- a/validator/val_nsec.c
+++ b/validator/val_nsec.c
@@ -340,6 +340,28 @@ int nsec_proves_nodata(struct ub_packed_rrset_key* nsec,
                                 *wc = ce;
                                 return 1;
                         }
+               } else {
+                       /* See if the next owner name covers a wildcard
+                        * empty non-terminal. */
+                       while (dname_strict_subdomain_c(nm, nsec->rk.dname)) {
+                               /* wildcard does not apply if qname below
+                                * the name that exists under the '*' */
+                               if (dname_subdomain_c(qinfo->qname, nm))
+                                       break;
+                               /* but if it is a wildcard and qname is below
+                                * it, then the wildcard applies. The wildcard
+                                * is an empty nonterminal. nodata proven. */
+                               if (dname_is_wild(nm)) {
+                                       size_t ce_len = ln;
+                                       uint8_t* ce = nm;
+                                       dname_remove_label(&ce, &ce_len);
+                                       if(dname_strict_subdomain_c(qinfo->qname, ce)) {
+                                               *wc = ce;
+                                               return 1;
+                                       }
+                               }
+                               dname_remove_label(&nm, &ln);
+                       }
                 }
  
                 /* Otherwise, this NSEC does not prove ENT and is not a
author	Wouter Wijngaards <wouter@nlnetlabs.nl>
	Thu, 29 Oct 2015 13:08:15 +0000 (13:08 +0000)
committer	Wouter Wijngaards <wouter@nlnetlabs.nl>
	Thu, 29 Oct 2015 13:08:15 +0000 (13:08 +0000)
doc/Changelog		patch \| blob \| blame \| history
validator/val_nsec.c		patch \| blob \| blame \| history