From: bert hubert <bert.hubert@netherlabs.nl>
Date: Fri, 1 Jul 2016 09:02:26 +0000 (+0200)
Subject: fix nsec3 wrapping issue for insecure delegations
X-Git-Tag: rec-4.0.0~32
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0d38db91c24718553ec4f61502f9f49e48189fce;p=thirdparty%2Fpdns.git

fix nsec3 wrapping issue for insecure delegations
---

diff --git a/pdns/validate.cc b/pdns/validate.cc
index 25b6e9b4d6..6918f5f06a 100644
--- a/pdns/validate.cc
+++ b/pdns/validate.cc
@@ -403,7 +403,8 @@ vState getKeysFor(DNSRecordOracle& dro, const DNSName& zone, keyset_t &keyset)
               string h = hashQNameWithSalt(nsec3->d_salt, nsec3->d_iterations, qname);
               LOG("\tquery hash: "<<toBase32Hex(h)<<endl);
               string beginHash=fromBase32Hex(v.first.first.getRawLabels()[0]);
-              if(beginHash < h && h < nsec3->d_nexthash) {
+              if( (beginHash < h && h < nsec3->d_nexthash) ||
+                  (nsec3->d_nexthash > h  && beginHash > nsec3->d_nexthash)) { //wrap
                 LOG("Denies existence of DS!"<<endl);
                 return Insecure;
               }