From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Tue, 5 Sep 2017 14:10:33 +0000 (+0200)
Subject: rec: Fix erroneous check for section 4.1 of rfc6840
X-Git-Tag: rec-4.1.0-rc1~48^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=95208ae3b2a5a416e143be918e3f4ea8ad413b36;p=thirdparty%2Fpdns.git

rec: Fix erroneous check for section 4.1 of rfc6840
---

diff --git a/pdns/validate.cc b/pdns/validate.cc
index 1d472bd1fc..176af6d44a 100644
--- a/pdns/validate.cc
+++ b/pdns/validate.cc
@@ -57,6 +57,22 @@ dState getDenial(const cspmap_t &validrrsets, const DNSName& qname, const uint16
         if(!nsec)
           continue;
 
+        /* RFC 6840 section 4.1 "Clarifications on Nonexistence Proofs":
+           Ancestor delegation NSEC or NSEC3 RRs MUST NOT be used to assume
+           nonexistence of any RRs below that zone cut, which include all RRs at
+           that (original) owner name other than DS RRs, and all RRs below that
+           owner name regardless of type.
+        */
+        if (nsec->d_set.count(QType::NS) && !nsec->d_set.count(QType::SOA) &&
+            getSigner(v.second.signatures).countLabels() < v.first.first.countLabels()) {
+          LOG("type is "<<QType(qtype).getName()<<", NS is "<<std::to_string(nsec->d_set.count(QType::NS))<<", SOA is "<<std::to_string(nsec->d_set.count(QType::SOA))<<", signer is "<<getSigner(v.second.signatures).toString()<<", owner name is "<<v.first.first.toString()<<endl);
+          /* this is an "ancestor delegation" NSEC RR */
+          if (qname == v.first.first && qtype != QType::DS) {
+            LOG("An ancestor delegation NSEC RR can only deny the existence of a DS"<<endl);
+            continue;
+          }
+        }
+
         /* check if the type is denied */
         if(qname == v.first.first) {
           if (nsec->d_set.count(qtype)) {
@@ -68,20 +84,6 @@ dState getDenial(const cspmap_t &validrrsets, const DNSName& qname, const uint16
           return NXQTYPE;
         }
 
-        /* RFC 6840 section 4.1 "Clarifications on Nonexistence Proofs":
-           Ancestor delegation NSEC or NSEC3 RRs MUST NOT be used to assume
-           nonexistence of any RRs below that zone cut, which include all RRs at
-           that (original) owner name other than DS RRs, and all RRs below that
-           owner name regardless of type.
-        */
-        LOG("type is "<<QType(qtype).getName()<<", NS is "<<std::to_string(nsec->d_set.count(QType::NS))<<", SOA is "<<std::to_string(nsec->d_set.count(QType::SOA))<<", signer is "<<getSigner(v.second.signatures).toString()<<", owner name is "<<v.first.first.toString()<<endl);
-        if (qtype != QType::DS && nsec->d_set.count(QType::NS) && !nsec->d_set.count(QType::SOA) &&
-            getSigner(v.second.signatures).countLabels() < v.first.first.countLabels()) {
-          /* this is an "ancestor delegation" NSEC RR */
-          LOG("An ancestor delegation NSEC RR can only deny the existence of a DS");
-          continue;
-        }
-
         /* check if the whole NAME is denied existing */
         if(isCoveredByNSEC(qname, v.first.first, nsec->d_next)) {
           LOG("Denies existence of name "<<qname<<"/"<<QType(qtype).getName()<<endl);