From: Karel Slany Date: Wed, 12 Aug 2015 20:23:08 +0000 (+0200) Subject: layer/validate: fixed possible bug in NSEC checking code X-Git-Tag: v1.0.0-beta1~53^2~110 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7994aed6c9cc10a9b6d35772aa522fe2fe56c8ee;p=thirdparty%2Fknot-resolver.git layer/validate: fixed possible bug in NSEC checking code --- diff --git a/lib/dnssec/nsec.c b/lib/dnssec/nsec.c index 145817a22..1ea557684 100644 --- a/lib/dnssec/nsec.c +++ b/lib/dnssec/nsec.c @@ -76,8 +76,8 @@ static int nsec_nonamematch(const knot_rrset_t *nsec, const knot_dname_t *sname) #define FLG_NOEXIST_RRTYPE 0x01 /**< exists, does not exist. */ #define FLG_NOEXIST_RRSET 0x02 /**< does not exist. */ -#define FLG_NOEXIST_WILDCARD 0x03 /**< No wildcard covering exists. */ -#define FLG_NOEXIST_CLOSER 0x04 /**< Wildcard covering exists, but doesn't match STYPE. */ +#define FLG_NOEXIST_WILDCARD 0x04 /**< No wildcard covering exists. */ +#define FLG_NOEXIST_CLOSER 0x08 /**< Wildcard covering exists, but doesn't match STYPE. */ /** * According to set flags determine whether authenticated denial of existence has been proven. diff --git a/lib/layer/validate.c b/lib/layer/validate.c index 04e8279ab..3df24cd42 100644 --- a/lib/layer/validate.c +++ b/lib/layer/validate.c @@ -343,7 +343,7 @@ static int validate(knot_layer_t *ctx, knot_pkt_t *pkt) if (knot_wire_get_rcode(pkt->wire) == KNOT_RCODE_NXDOMAIN) { #warning TODO: validate NSECx proof, RRSIGs will be checked later if it matches if (!has_nsec3) { - ret = kr_nsec_existence_denial(pkt, KNOT_AUTHORITY, qry->sname, qry->stype, &req->pool); + ret = kr_nsec_name_error_response_check(pkt, KNOT_AUTHORITY, qry->sname, &req->pool); } else { ret = kr_nsec3_name_error_response_check(pkt, KNOT_AUTHORITY, qry->sname, &req->pool); /* TODO */