fix NSEC wildcard denial

author Kees Monshouwer <mind04@monshouwer.org>

Thu, 21 Nov 2013 20:46:16 +0000 (21:46 +0100)

committer mind04 <mind04@monshouwer.org>

Fri, 22 Nov 2013 08:07:08 +0000 (09:07 +0100)
author Kees Monshouwer <mind04@monshouwer.org>
Thu, 21 Nov 2013 20:46:16 +0000 (21:46 +0100)
committer mind04 <mind04@monshouwer.org>
Fri, 22 Nov 2013 08:07:08 +0000 (09:07 +0100)
diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc

index 56bb7e9fc8b167ddec7f4cc08ccb074ebe995701..f1452ddb9164b70a5c2d02a504c327552772b540 100644 (file)
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -426,7 +426,7 @@ void PacketHandler::emitNSEC(const std::string& begin, const std::string& end, c
    NSECRecordContent nrc;
    nrc.d_set.insert(QType::RRSIG);
    nrc.d_set.insert(QType::NSEC);
-  if(sd.qname == begin)
+  if(pdns_iequals(sd.qname, begin))
      nrc.d_set.insert(QType::DNSKEY);
  
    DNSResourceRecord rr;
@@ -669,20 +669,17 @@ void PacketHandler::addNSEC(DNSPacket *p, DNSPacket *r, const string& target, co
    sd.db->getBeforeAndAfterNames(sd.domain_id, auth, target, before, after);
    emitNSEC(before, after, target, sd, r, mode);
  
-  if (mode == 2) {
-    // wildcard NO-DATA
+  if (mode == 2 || mode == 4) {
+    // wildcard NO-DATA or wildcard denial
      before.clear();
-    sd.db->getBeforeAndAfterNames(sd.domain_id, auth, wildcard, before, after);
+    string closest(wildcard);
+    if (mode == 4) {
+      (void) chopOff(closest);
+      closest=dotConcat("*", closest);
+    }
+    sd.db->getBeforeAndAfterNames(sd.domain_id, auth, closest, before, after);
      emitNSEC(before, after, target, sd, r, mode);
    }
-
-  if (mode == 4) {
-    // this one does wildcard denial, if applicable
-    before='.';
-    sd.db->getBeforeAndAfterNames(sd.domain_id, auth, auth, before, after);
-    emitNSEC(auth, after, auth, sd, r, mode);
-  }
-
    return;
  }
  
diff --git a/regression-tests.nobackend/tinydns-data-check/expected_result b/regression-tests.nobackend/tinydns-data-check/expected_result

index 62d0ff0a25b9030ef45786b625dd17d1647b93c7..70dd7577c166701ba3ed0a193bbc450d898e05f1 100644 (file)
--- a/regression-tests.nobackend/tinydns-data-check/expected_result
+++ b/regression-tests.nobackend/tinydns-data-check/expected_result
@@ -5,4 +5,4 @@ a2dd754820cb88fdd3d80b54a212a270  ../regression-tests/test.com
  42dd3a56c7d268e75836371878819ec4  ../regression-tests/delegated.dnssec-parent.com
  a63dc120391d9df0003f2ec4f461a6af  ../regression-tests/secure-delegated.dnssec-parent.com
  24514dc104b22206daeb973ff9303545  ../regression-tests/minimal.com
-b62dc3974faf53b7f5ffbaa70788fcfe  ../modules/tinydnsbackend/data.cdb
+a7eda9fdfd9a73961338ad661526c39c  ../modules/tinydnsbackend/data.cdb
diff --git a/regression-tests/nxdomain-below-nonempty-terminal/expected_result b/regression-tests/nxdomain-below-nonempty-terminal/expected_result

index 5943dc0950f6a7454272f07ad98b1c25dfa6523c..ee42de95ed45ed3b53cabd4f22ecab98ee3d9690 100644 (file)
--- a/regression-tests/nxdomain-below-nonempty-terminal/expected_result
+++ b/regression-tests/nxdomain-below-nonempty-terminal/expected_result
@@ -1,5 +1,3 @@
-1      example.com.    IN      NSEC    86400   double.example.com. NS SOA MX RRSIG NSEC DNSKEY
-1      example.com.    IN      RRSIG   86400   NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ...
  1      example.com.    IN      RRSIG   86400   SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
  1      example.com.    IN      SOA     86400   ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
  1      outpost.example.com.    IN      NSEC    86400   semi-external.example.com. A RRSIG NSEC
diff --git a/regression-tests/second-level-nxdomain/expected_result b/regression-tests/second-level-nxdomain/expected_result

index 3b761e31df59ec536dd9a24c97baffff80235eb3..27ce149d24a2cdaee66a9b76dd147c11b56e0866 100644 (file)
--- a/regression-tests/second-level-nxdomain/expected_result
+++ b/regression-tests/second-level-nxdomain/expected_result
@@ -1,5 +1,3 @@
-1      example.com.    IN      NSEC    86400   double.example.com. NS SOA MX RRSIG NSEC DNSKEY
-1      example.com.    IN      RRSIG   86400   NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ...
  1      example.com.    IN      RRSIG   86400   SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
  1      example.com.    IN      SOA     86400   ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
  1      outpost.example.com.    IN      NSEC    86400   semi-external.example.com. A RRSIG NSEC
author	Kees Monshouwer <mind04@monshouwer.org>
	Thu, 21 Nov 2013 20:46:16 +0000 (21:46 +0100)
committer	mind04 <mind04@monshouwer.org>
	Fri, 22 Nov 2013 08:07:08 +0000 (09:07 +0100)
pdns/packethandler.cc		patch \| blob \| blame \| history
regression-tests.nobackend/tinydns-data-check/expected_result		patch \| blob \| blame \| history
regression-tests/nxdomain-below-nonempty-terminal/expected_result		patch \| blob \| blame \| history
regression-tests/second-level-nxdomain/expected_result		patch \| blob \| blame \| history