From: Vladimír Čunát Date: Wed, 24 Jan 2018 14:03:15 +0000 (+0100) Subject: treewide: fix lower-casing of NSEC next name X-Git-Tag: v2.0.0~6^2~16 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2ac653fb45ad2e3c5ee0aa2cd222bea0244eb058;p=thirdparty%2Fknot-resolver.git treewide: fix lower-casing of NSEC next name --- diff --git a/lib/cache/nsec1.c b/lib/cache/nsec1.c index a05ea106a..32003f06b 100644 --- a/lib/cache/nsec1.c +++ b/lib/cache/nsec1.c @@ -235,6 +235,7 @@ static const char * find_leq_NSEC1(struct kr_cache *cache, const struct kr_query return "EINVAL"; } ret = kr_dname_lf(chs, next, false); + // FIXME lower-case with libknot-2.7 if (ret) { assert(false); return "ERROR"; @@ -343,15 +344,30 @@ int nsec1_encloser(struct key *k, struct answer *ans, kr_dname_print(knot_nsec_next(&nsec_rr->rrs), "", ", "); kr_log_verbose("new TTL %d\n", new_ttl); } + /* Find label count of the closest encloser. - * Both points in an NSEC do exist and any prefixes - * of those names as well (empty non-terminals), - * but nothing else does inside this "triangle". + * Both endpoints in an NSEC do exist (though possibly in a child zone) + * and any prefixes of those names as well (empty non-terminals), + * but nothing else exists inside this "triangle". + * + * Note that we have to lower-case the next name for comparison, + * even though we have canonicalized NSEC already; see RFC 6840 5.1. + * LATER(optim.): it might be faster to use the LFs we already have. */ + knot_dname_t next[KNOT_DNAME_MAXLEN]; + int ret = knot_dname_to_wire(next, knot_nsec_next(&nsec_rr->rrs), sizeof(next)); + if (ret >= 0) { + ret = knot_dname_to_lower(next); + } + if (ret < 0) { + assert(!ret); + return kr_error(ret); + } *clencl_labels = MAX( nsec_matched, - knot_dname_matched_labels(qry->sname, knot_nsec_next(&nsec_rr->rrs)) + knot_dname_matched_labels(qry->sname, next) ); + /* Empty non-terminals don't need to have * a matching NSEC record. */ if (sname_labels == *clencl_labels) { diff --git a/lib/dnssec/nsec.c b/lib/dnssec/nsec.c index 18aaae4e0..85ecf4193 100644 --- a/lib/dnssec/nsec.c +++ b/lib/dnssec/nsec.c @@ -85,6 +85,8 @@ int kr_nsec_children_in_zone_check(const uint8_t *bm, uint16_t bm_size) static int nsec_covers(const knot_rrset_t *nsec, const knot_dname_t *sname) { assert(nsec && sname); + // FIXME needs explicit lower-casing with libknot >= 2.7 + // see also RFC 6840 5.1. const knot_dname_t *next = knot_nsec_next(&nsec->rrs); if (knot_dname_cmp(sname, nsec->owner) <= 0) { return abs(ENOENT); /* 'sname' before 'owner', so can't be covered */ diff --git a/lib/rplan.h b/lib/rplan.h index b4975eb5e..ce589c720 100644 --- a/lib/rplan.h +++ b/lib/rplan.h @@ -76,7 +76,7 @@ void kr_qflags_clear(struct kr_qflags *fl1, struct kr_qflags fl2); */ struct kr_query { struct kr_query *parent; - knot_dname_t *sname; + knot_dname_t *sname; /**< The name to resolve - lower-cased, uncompressed. */ uint16_t stype; uint16_t sclass; uint16_t id;