Check that an NSEC signer is at or above the name to be validated

Add a check that an NSEC record being used as a proof of nonexistence
for a given name is not signed by a name lower in the DNS hierarchy than
the one in question.

Fixes: isc-projects/bind9#5876

diff --git a/lib/dns/nsec.c b/lib/dns/nsec.c
index fabe279d504196996a0af009c7888ad792d836a5..eda153cbe25d8607037c402c12f4de14da62849f 100644 (file)
--- a/lib/dns/nsec.c
+++ b/lib/dns/nsec.c
@@ -416,6 +416,18 @@ dns_nsec_noexistnodata(dns_rdatatype_t type, const dns_name_t *name,
                return DNS_R_DNAME;
        }
 
+       if (relation != dns_namereln_subdomain &&
+           dns_nsec_typepresent(&rdata, dns_rdatatype_soa))
+       {
+               /*
+                * An NSEC with an SOA in the bitmap can only cover
+                * names that are subdomains of the owner.
+                */
+               (*logit)(arg, ISC_LOG_DEBUG(3),
+                        "ignoring nsec with SOA covering non-subdomain");
+               return ISC_R_IGNORE;
+       }
+
        RETERR(dns_rdata_tostruct(&rdata, &nsec, NULL));
        relation = dns_name_fullcompare(&nsec.next, name, &order, &nlabels);
        if (order == 0) {

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 576c02acb29d49aab891ffa2e8bf0ffcd51e43a1..54e410c834c02ae51fabb721dc5ca9f7d0a0ad37 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -851,6 +851,8 @@ validator_callback_nsec(void *arg) {
                    rdataset->trust == dns_trust_secure &&
                    (NEEDNODATA(val) || NEEDNOQNAME(val)) &&
                    !FOUNDNODATA(val) && !FOUNDNOQNAME(val) &&
+                   dns_name_issubdomain(val->name,
+                                        &subvalidator->siginfo->signer) &&
                    dns_nsec_noexistnodata(val->type, val->name,
                                           subvalidator->name, rdataset,
                                           &exists, &data, wild, validator_log,

diff --git a/lib/ns/query.c b/lib/ns/query.c
index 583bcdf8a648f2c58aed30beb9d9fcf43542339e..ec8b3df8683267fd0a17c12359321a1053d6c482 100644 (file)
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -9522,6 +9522,13 @@ query_coveringnsec(query_ctx_t *qctx) {
                goto cleanup;
        }
 
+       /*
+        * The query name can't be above the signer of the NSEC.
+        */
+       if (!dns_name_issubdomain(qctx->client->query.qname, signer)) {
+               goto cleanup;
+       }
+
        /*
         * If NSEC or RRSIG are missing from the type map
         * reject the NSEC RRset.