From: bert hubert <bert.hubert@netherlabs.nl>
Date: Wed, 27 Apr 2016 17:20:30 +0000 (+0200)
Subject: non opt-out nsec3
X-Git-Tag: rec-4.0.0-alpha3~39
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=528c121818fe2639016dbeaea60b913e8e60d848;p=thirdparty%2Fpdns.git

non opt-out nsec3
---

diff --git a/pdns/validate.cc b/pdns/validate.cc
index 1d6de7d033..a682f94c45 100644
--- a/pdns/validate.cc
+++ b/pdns/validate.cc
@@ -354,10 +354,15 @@ vState getKeysFor(DNSRecordOracle& dro, const DNSName& zone, keyset_t &keyset)
               auto nsec3 = std::dynamic_pointer_cast<NSEC3RecordContent>(r);
               string h = hashQNameWithSalt(nsec3->d_salt, nsec3->d_iterations, qname);
               LOG("\tquery hash: "<<toBase32Hex(h)<<endl);
-              if(fromBase32Hex(v.first.first.getRawLabels()[0]) < h && h < nsec3->d_nexthash) {
+              string beginHash=fromBase32Hex(v.first.first.getRawLabels()[0]);
+              if(beginHash < h && h < nsec3->d_nexthash) {
                 LOG("Denies existence of DS!"<<endl);
                 return Insecure;
               }
+              else if(beginHash == h && !nsec3->d_set.count(QType::DS)) {
+                LOG("Denies existence of DS (not opt-out)"<<endl);
+                return Insecure;
+              }
               else {
                 LOG("Did not cover us, start="<<v.first.first<<", us="<<toBase32Hex(h)<<", end="<<toBase32Hex(nsec3->d_nexthash)<<endl);
               }