- Abide RFC5155 section 9.2: no AD flag for replies with NSEC3 optout.

git-svn-id: file:///svn/unbound/trunk@2233 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/doc/Changelog b/doc/Changelog
index 00834433b41d9a783f96cbd7cd582c41cb89b399..8d4a5ce5137a44fa565264c4f9ce6f1f5752c75f 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+15 September 2010: Wouter
+       - Abide RFC5155 section 9.2: no AD flag for replies with NSEC3 optout.
+
 14 September 2010: Wouter
        - increased mesh-max-activation from 1000 to 3000 for crazy domains
          like _tcp.slb.com with 262 servers.

diff --git a/testdata/val_nsec3_optout_ad.rpl b/testdata/val_nsec3_optout_ad.rpl
index cf81ba3b75e5beafd301878653745ba27f91cd8e..50d6fe0993e616c8b50d8b184692eeb09af0361a 100644 (file)
--- a/testdata/val_nsec3_optout_ad.rpl
+++ b/testdata/val_nsec3_optout_ad.rpl
@@ -185,11 +185,12 @@ sub.example.com. IN DS
 ENTRY_END
 
 ; recursion happens here.
-; the same answer gives AD flag for DS, because the optout says no DS exists.
+; no AD flag here because of RFC5155 9.2 section.
+; even though we are sure there is no DS, this is what the RFC says.
 STEP 30 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
-REPLY QR RD RA AD NOERROR
+REPLY QR RD RA NOERROR
 SECTION QUESTION
 sub.example.com. IN DS
 SECTION ANSWER

diff --git a/validator/val_nsec3.c b/validator/val_nsec3.c
index af01b2438e9851713cda52b78f4f778dcdfc78b8..e966ca7bf21e4bada951f6be54fd25e3cf915806 100644 (file)
--- a/validator/val_nsec3.c
+++ b/validator/val_nsec3.c
@@ -1179,10 +1179,8 @@ nsec3_do_prove_nodata(struct module_env* env, struct nsec3_filter* flt,
                        "-- no more options, bogus.");
                return sec_status_bogus;
        }
-       /* the optout is a secure denial of DS records */
-       if(qinfo->qtype != LDNS_RR_TYPE_DS)
-               return sec_status_insecure;
-       return sec_status_secure;
+       /* RFC5155 section 9.2: if nc has optout then no AD flag set */
+       return sec_status_insecure;
 }
 
 enum sec_status
@@ -1348,7 +1346,8 @@ nsec3_prove_nods(struct module_env* env, struct val_env* ve,
                        "DS NOERROR/NODATA case";
                return sec_status_bogus;
        }
-       return sec_status_secure;
+       /* RFC5155 section 9.2: if nc has optout then no AD flag set */
+       return sec_status_insecure;
 }
 
 enum sec_status

diff --git a/validator/validator.c b/validator/validator.c
index 75d44ee9c47f54c941c5c33c0c0b896c6bead812..ce6d71b4d10024c2b44d6de4024504c5c6b6e19f 100644 (file)
--- a/validator/validator.c
+++ b/validator/validator.c
@@ -2428,6 +2428,10 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
                        msg->rep->rrsets + msg->rep->an_numrrsets,
                        msg->rep->ns_numrrsets, qinfo, vq->key_entry, &reason);
                switch(sec) {
+                       case sec_status_insecure:
+                               /* case insecure also continues to unsigned
+                                * space.  If nsec3-iter-count too high or
+                                * optout, then treat below as unsigned */
                        case sec_status_secure:
                                verbose(VERB_DETAIL, "NSEC3s for the "
                                        "referral proved no DS.");
@@ -2446,7 +2450,6 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
                                        "referral did not prove no DS.");
                                errinf(qstate, reason);
                                goto return_bogus;
-                       case sec_status_insecure:
                        case sec_status_unchecked:
                        default:
                                /* NSEC3 proof did not work */