From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Wed, 17 Aug 2011 14:28:32 +0000 (+0000)
Subject: - Fix validation of . DS query.
X-Git-Tag: release-1.4.13rc1~10
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=22290ac234b31bf6f26749414dc19d95ca624c54;p=thirdparty%2Funbound.git

- Fix validation of . DS query.


git-svn-id: file:///svn/unbound/trunk@2474 be551aaa-1e26-0410-a405-d3ace91eadb9
---

diff --git a/doc/Changelog b/doc/Changelog
index 498910d2e..27d32d4f1 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+17 August 2011: Wouter
+	- Fix validation of . DS query.
+
 10 August 2011: Wouter
 	- Fix python site-packages path to /usr/lib64.
 	- updated patch from Tom.
diff --git a/validator/val_nsec.c b/validator/val_nsec.c
index 75574ffb1..8ebeaa6a7 100644
--- a/validator/val_nsec.c
+++ b/validator/val_nsec.c
@@ -368,7 +368,8 @@ int nsec_proves_nodata(struct ub_packed_rrset_key* nsec,
 		!nsec_has_type(nsec, LDNS_RR_TYPE_SOA)) {
 		return 0;
 	} else if(qinfo->qtype == LDNS_RR_TYPE_DS &&
-		nsec_has_type(nsec, LDNS_RR_TYPE_SOA)) {
+		nsec_has_type(nsec, LDNS_RR_TYPE_SOA &&
+		!dname_is_root(qinfo->qname))) {
 		return 0;
 	}
 
diff --git a/validator/val_nsec3.c b/validator/val_nsec3.c
index 8b799ee47..b3a16c325 100644
--- a/validator/val_nsec3.c
+++ b/validator/val_nsec3.c
@@ -435,7 +435,8 @@ filter_init(struct nsec3_filter* filter, struct ub_packed_rrset_key** list,
 			dname_subdomain_c(nm, filter->zone))) {
 			/* for a type DS do not accept a zone equal to qname*/
 			if(qinfo->qtype == LDNS_RR_TYPE_DS && 
-				query_dname_compare(qinfo->qname, nm) == 0)
+				query_dname_compare(qinfo->qname, nm) == 0 &&
+				!dname_is_root(qinfo->qname))
 				continue;
 			filter->zone = nm;
 			filter->zone_len = nmlen;
@@ -1127,7 +1128,8 @@ nsec3_do_prove_nodata(struct module_env* env, struct nsec3_filter* flt,
 		 * If not type DS: matching nsec3 must not be a delegation.
 		 */
 		if(qinfo->qtype == LDNS_RR_TYPE_DS && qinfo->qname_len != 1 
-			&& nsec3_has_type(rrset, rr, LDNS_RR_TYPE_SOA)) {
+			&& nsec3_has_type(rrset, rr, LDNS_RR_TYPE_SOA &&
+			!dname_is_root(qinfo->qname))) {
 			verbose(VERB_ALGO, "proveNodata: apex NSEC3 "
 				"abused for no DS proof, bogus");
 			return sec_status_bogus;