From: Remi Gacogne Date: Tue, 23 Feb 2021 17:26:14 +0000 (+0100) Subject: rec: Cleaner way of getting the closest encloser from a NSEC X-Git-Tag: dnsdist-1.6.0-alpha2~12^2~6 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=57fe2038294697306048bc49620cacf5713a4b91;p=thirdparty%2Fpdns.git rec: Cleaner way of getting the closest encloser from a NSEC --- diff --git a/pdns/validate.cc b/pdns/validate.cc index ae01ea4cec..a1618617c6 100644 --- a/pdns/validate.cc +++ b/pdns/validate.cc @@ -283,6 +283,16 @@ static bool provesNoDataWildCard(const DNSName& qname, const uint16_t qtype, con return false; } +DNSName getClosestEncloserFromNSEC(const DNSName& name, const DNSName& owner, const DNSName& next) +{ + DNSName commonWithOwner(name.getCommonLabels(owner)); + DNSName commonWithNext(name.getCommonLabels(next)); + if (commonWithOwner.countLabels() >= commonWithNext.countLabels()) { + return commonWithOwner; + } + return commonWithNext; +} + /* This function checks whether the non-existence of a wildcard covering qname|qtype is proven by the NSEC records in validrrsets. @@ -301,25 +311,16 @@ static bool provesNoWildCard(const DNSName& qname, const uint16_t qtype, const c } const DNSName owner = getNSECOwnerName(v.first.first, v.second.signatures); - /* - A NSEC can only prove the non-existence of a wildcard with at least the same - number of labels than the intersection of its owner name and next name. - */ - const DNSName commonLabels = owner.getCommonLabels(nsec->d_next); - const unsigned int commonLabelsCount = commonLabels.countLabels(); - - DNSName wildcard(qname); - unsigned int wildcardLabelsCount = wildcard.countLabels(); - while (wildcard.chopOff() && wildcardLabelsCount >= commonLabelsCount) { - DNSName target = g_wildcarddnsname + wildcard; - --wildcardLabelsCount; - - LOG("Comparing owner: "<d_next); + if (closestEncloser.countLabels() >= qname.countLabels()) { + continue; + } + DNSName wildcard = g_wildcarddnsname + closestEncloser; + LOG("Comparing owner: "<d_next)) { - LOG("\tWildcard is covered"<d_next)) { + LOG("\tWildcard is covered"< getZoneCuts(const DNSName& begin, const DNSName& en bool isRRSIGNotExpired(const time_t now, const shared_ptr& sig) { - // Should use https://www.rfc-editor.org/rfc/rfc4034.txt section 3.1.5 + // Should use https://www.rfc-editor.org/rfc/rfc4034.txt section 3.1.5 return sig->d_sigexpire >= now; } bool isRRSIGIncepted(const time_t now, const shared_ptr& sig) { - // Should use https://www.rfc-editor.org/rfc/rfc4034.txt section 3.1.5 + // Should use https://www.rfc-editor.org/rfc/rfc4034.txt section 3.1.5 return sig->d_siginception - g_signatureInceptionSkew <= now; } @@ -954,7 +955,7 @@ cspmap_t harvestCSPFromRecs(const vector& recs) for(const auto& rec : recs) { // cerr<<"res "<(rec); if (rrc) { diff --git a/pdns/validate.hh b/pdns/validate.hh index ae3831f8dd..daafe962c5 100644 --- a/pdns/validate.hh +++ b/pdns/validate.hh @@ -97,6 +97,7 @@ dState matchesNSEC(const DNSName& name, uint16_t qtype, const DNSName& nsecOwner bool isNSEC3AncestorDelegation(const DNSName& signer, const DNSName& owner, const std::shared_ptr& nsec3); DNSName getNSECOwnerName(const DNSName& initialOwner, const std::vector >& signatures); +DNSName getClosestEncloserFromNSEC(const DNSName& name, const DNSName& owner, const DNSName& next); template bool isTypeDenied(const NSEC& nsec, const QType& type) {