From: Mark Andrews <marka@isc.org>
Date: Fri, 5 Nov 2021 22:30:48 +0000 (+1100)
Subject: Ignore NSEC records without RRSIG and NSEC present
X-Git-Tag: v9.17.21~5^2~14
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4bdd5a9953294f13bb964dde137b02b798ea1a54;p=thirdparty%2Fbind9.git

Ignore NSEC records without RRSIG and NSEC present

dns_nsec_noexistnodata now checks that RRSIG and NSEC are
present in the type map.  Both types should be present in
a correctly constructed NSEC record.  This check is in
addition to similar checks in resolver.c and validator.c.
---

diff --git a/lib/dns/nsec.c b/lib/dns/nsec.c
index 95af49c3a2d..d7aa394f925 100644
--- a/lib/dns/nsec.c
+++ b/lib/dns/nsec.c
@@ -328,6 +328,16 @@ dns_nsec_noexistnodata(dns_rdatatype_t type, const dns_name_t *name,
 	}
 	dns_rdataset_current(nsecset, &rdata);
 
+#ifdef notyet
+	if (!dns_nsec_typepresent(&rdata, dns_rdatatype_rrsig) ||
+	    !dns_nsec_typepresent(&rdata, dns_rdatatype_nsec))
+	{
+		(*logit)(arg, ISC_LOG_DEBUG(3),
+			 "NSEC missing RRSIG and/or NSEC from type map");
+		return (ISC_R_IGNORE);
+	}
+#endif
+
 	(*logit)(arg, ISC_LOG_DEBUG(3), "looking for relevant NSEC");
 	relation = dns_name_fullcompare(name, nsecname, &order, &olabels);
 
diff --git a/lib/ns/query.c b/lib/ns/query.c
index 71a65d48946..ce88b2df51c 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -10069,6 +10069,14 @@ query_coveringnsec(query_ctx_t *qctx) {
 		goto cleanup;
 	}
 
+	/*
+	 * If NSEC or RRSIG are missing from the type map
+	 * reject the NSEC RRset.
+	 */
+	if (!dns_nsec_requiredtypespresent(qctx->rdataset)) {
+		goto cleanup;
+	}
+
 	/*
 	 * Check that we have the correct NOQNAME NSEC record.
 	 */