From: Marek Vavruša <mvavrusa@cloudflare.com>
Date: Mon, 18 Jun 2018 23:56:53 +0000 (-0700)
Subject: nsec: correct wildcard proof check with queried for literal wildcard
X-Git-Tag: v2.4.0~20^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=638413f8f49c21bb79d1e2ce83ff3b4f8c8c875d;p=thirdparty%2Fknot-resolver.git

nsec: correct wildcard proof check with queried for literal wildcard

The validation fails in current implementation when queried directly
for the wildcard. In that case the count of the common labels with the
NSEC record is the same, and not shorter by 1 (to accomodate wildcard
expansion).
---

diff --git a/NEWS b/NEWS
index cdbc4ab53..2483384f1 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,7 @@ New features
 Bugfixes
 --------
 - avoid turning off qname minimization in some cases, e.g. co.uk. (#339)
+- fix validation of explicit wildcard queries (#274)
 
 
 Knot Resolver 2.3.0 (2018-04-23)
diff --git a/lib/dnssec/nsec.c b/lib/dnssec/nsec.c
index ab22ffbe3..5b961dc42 100644
--- a/lib/dnssec/nsec.c
+++ b/lib/dnssec/nsec.c
@@ -380,13 +380,15 @@ static int wildcard_match_check(const knot_pkt_t *pkt, const knot_pktsection_t *
 		if (!knot_dname_is_wildcard(rrset->owner)) {
 			continue;
 		}
-		int wcard_labels = knot_dname_labels(rrset->owner, NULL);
-		int common_labels = knot_dname_matched_labels(rrset->owner, sname);
-		int rrsig_labels = coverign_rrsig_labels(rrset, sec);
-		if (wcard_labels < 1 ||
-		    common_labels != wcard_labels - 1 ||
-		    common_labels != rrsig_labels) {
-			continue;
+		if (!knot_dname_is_equal(rrset->owner, sname)) {
+			int wcard_labels = knot_dname_labels(rrset->owner, NULL);
+			int common_labels = knot_dname_matched_labels(rrset->owner, sname);
+			int rrsig_labels = coverign_rrsig_labels(rrset, sec);
+			if (wcard_labels < 1 ||
+			    common_labels != wcard_labels - 1 ||
+			    common_labels != rrsig_labels) {
+				continue;
+			}
 		}
 		int ret = no_data_response_check_rrtype(&flags, rrset, stype);
 		if (ret != 0) {