dnssec/nsec: add a precaution when checking DS nodata

I just found it by accident when studying RFCs again.
Hmm, I'd like an operator for logical implication; I'm spoiled by Maths.

diff --git a/lib/dnssec/nsec.c b/lib/dnssec/nsec.c
index 56d6aa271a5222925851bb54b4880bc769d862d6..ea64678ea2ee2378e8f3642b6975982e8a5d3d96 100644 (file)
--- a/lib/dnssec/nsec.c
+++ b/lib/dnssec/nsec.c
@@ -237,7 +237,14 @@ static int no_data_response_check_rrtype(int *flags, const knot_rrset_t *nsec,
 
        if (!kr_nsec_bitmap_contains_type(bm, bm_size, type)) {
                /* The type is not listed in the NSEC bitmap. */
-               *flags |= FLG_NOEXIST_RRTYPE;
+               /* Security feature: in case of DS also check for SOA
+                * non-existence to be more certain that we don't hold
+                * a child-side NSEC by some mistake (e.g. when forwarding).
+                * See RFC4035 5.2, next-to-last paragraph. */
+               if (type != KNOT_RRTYPE_DS
+                   || !kr_nsec_bitmap_contains_type(bm, bm_size, KNOT_RRTYPE_SOA)) {
+                       *flags |= FLG_NOEXIST_RRTYPE;
+               }
        }
 
        return kr_ok();