- Fix #1278: Incomplete wildcard proof.

git-svn-id: file:///svn/unbound/trunk@4218 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/doc/Changelog b/doc/Changelog
index 7bfecdf637ba607099237518b02564110b567e20..952ff7d19e8b683fd6268ba5386c64b2f312bcd3 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+12 June 2017: Wouter
+       - Fix #1278: Incomplete wildcard proof.
+
 8 June 2017: Ralph
        - Added domain name based ECS whitelist.
 

diff --git a/services/cache/dns.c b/services/cache/dns.c
index 4543aa5eda32e970046a28f3a7b3bac7e53b25cb..764205e53cbec0d23ec49362693a98e5b981c64f 100644 (file)
--- a/services/cache/dns.c
+++ b/services/cache/dns.c
@@ -41,6 +41,7 @@
 #include "config.h"
 #include "iterator/iter_delegpt.h"
 #include "validator/val_nsec.h"
+#include "validator/val_utils.h"
 #include "services/cache/dns.h"
 #include "services/cache/rrset.h"
 #include "util/data/msgreply.h"
@@ -755,10 +756,16 @@ dns_cache_lookup(struct module_env* env,
        if( qtype != LDNS_RR_TYPE_DS &&
           (rrset=rrset_cache_lookup(env->rrset_cache, qname, qnamelen, 
                LDNS_RR_TYPE_CNAME, qclass, 0, now, 0))) {
-               struct dns_msg* msg = rrset_msg(rrset, region, now, &k);
-               if(msg) {
-                       lock_rw_unlock(&rrset->entry.lock);
-                       return msg;
+               uint8_t* wc = NULL;
+               /* if the rrset is not a wildcard expansion, with wcname */
+               /* because, if we return that CNAME rrset on its own, it is
+                * missing the NSEC or NSEC3 proof */
+               if(!(val_rrset_wildcard(rrset, &wc) && wc != NULL)) {
+                       struct dns_msg* msg = rrset_msg(rrset, region, now, &k);
+                       if(msg) {
+                               lock_rw_unlock(&rrset->entry.lock);
+                               return msg;
+                       }
                }
                lock_rw_unlock(&rrset->entry.lock);
        }