From: Mark Andrews <marka@isc.org>
Date: Tue, 31 Jul 2018 04:52:48 +0000 (+1000)
Subject: only check the bit map
X-Git-Tag: v9.13.3~79^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a94db466314542759f3144e77f64c3fcc9c78ce0;p=thirdparty%2Fbind9.git

only check the bit map
---

diff --git a/bin/tests/system/verify/clean.sh b/bin/tests/system/verify/clean.sh
index 7479b86edae..74c9be2c2c7 100644
--- a/bin/tests/system/verify/clean.sh
+++ b/bin/tests/system/verify/clean.sh
@@ -7,12 +7,11 @@
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
-rm -f zones/*.good
-rm -f zones/*.good.tmp
+rm -f ns*/named.lock
+rm -f verify.out*
 rm -f zones/*.bad
-rm -f zones/*.bad.tmp
+rm -f zones/*.good
 rm -f zones/*.out*
-rm -f zones/dsset-*
+rm -f zones/*.tmp
 rm -f zones/K*
-rm -f verify.out*
-rm -f ns*/named.lock
+rm -f zones/dsset-*
diff --git a/bin/tests/system/verify/zones/genzones.sh b/bin/tests/system/verify/zones/genzones.sh
index 1f8a2ebf3a5..3cd623ca70f 100644
--- a/bin/tests/system/verify/zones/genzones.sh
+++ b/bin/tests/system/verify/zones/genzones.sh
@@ -75,6 +75,28 @@ cp unsigned.db ${file}.tmp
 echo "@ DNAME data" >> ${file}.tmp
 $SIGNER -3 - -SP -o ${zone} -f ${file} ${file}.tmp > s.out$n 2>&1 || dumpit s.out$n
 
+#
+# generate an NSEC record like
+#	aba NSEC FOO ...
+# then downcase all the FOO records so the next name in the database
+# becomes foo when the zone is loaded.
+#
+setup nsec-next-name-case-mismatch good
+ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
+zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg2.out$n` || dumpit kg2.out$n
+cat << EOF > ${zone}.tmp
+\$TTL 0
+@ IN SOA  foo . ( 1 28800 7200 604800 1800 )
+@ NS foo
+\$include $ksk.key
+\$include $zsk.key
+FOO AAAA ::1
+FOO A 127.0.0.2
+aba CNAME FOO
+EOF
+$SIGNER -zP -o ${zone} -f ${file}.tmp ${zone}.tmp > s.out$n 2>&1 || dumpit s.out$n
+sed 's/^FOO\./foo\./' < ${file}.tmp > ${file}
+
 # A set of zones with only DNSKEY records.
 setup zsk-only.dnskeyonly bad
 key1=`$KEYGEN -a rsasha256 ${zone} 2>kg.out` || dumpit kg.out$n
diff --git a/lib/dns/zoneverify.c b/lib/dns/zoneverify.c
index 3cf5790cdd5..c3b81bc4322 100644
--- a/lib/dns/zoneverify.c
+++ b/lib/dns/zoneverify.c
@@ -219,6 +219,21 @@ goodsig(const vctx_t *vctx, dns_rdata_t *sigrdata, const dns_name_t *name,
 	return (ISC_FALSE);
 }
 
+static isc_boolean_t
+nsec_bitmap_equal(dns_rdata_nsec_t *nsec, dns_rdata_t *rdata) {
+	isc_result_t result;
+	dns_rdata_nsec_t tmpnsec;
+
+	result = dns_rdata_tostruct(rdata, &tmpnsec, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	if (nsec->len != tmpnsec.len ||
+	    memcmp(nsec->typebits, tmpnsec.typebits, nsec->len) != 0) {
+		return (ISC_FALSE);
+	}
+	return (ISC_TRUE);
+}
+
 static isc_result_t
 verifynsec(const vctx_t *vctx, const dns_name_t *name, dns_dbnode_t *node,
 	   const dns_name_t *nextname, isc_result_t *vresult)
@@ -256,6 +271,7 @@ verifynsec(const vctx_t *vctx, const dns_name_t *name, dns_dbnode_t *node,
 	dns_rdataset_current(&rdataset, &rdata);
 	result = dns_rdata_tostruct(&rdata, &nsec, NULL);
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
 	/* Check next name is consistent */
 	if (!dns_name_equal(&nsec.next, nextname)) {
 		dns_name_format(name, namebuf, sizeof(namebuf));
@@ -268,6 +284,7 @@ verifynsec(const vctx_t *vctx, const dns_name_t *name, dns_dbnode_t *node,
 		*vresult = ISC_R_FAILURE;
 		goto done;
 	}
+
 	/* Check bit map is consistent */
 	result = dns_nsec_buildrdata(vctx->db, vctx->ver, node, nextname,
 				     buffer, &tmprdata);
@@ -276,7 +293,7 @@ verifynsec(const vctx_t *vctx, const dns_name_t *name, dns_dbnode_t *node,
 				     isc_result_totext(result));
 		goto done;
 	}
-	if (dns_rdata_compare(&rdata, &tmprdata) != 0) {
+	if (!nsec_bitmap_equal(&nsec, &tmprdata)) {
 		dns_name_format(name, namebuf, sizeof(namebuf));
 		zoneverify_log_error(vctx,
 				     "Bad NSEC record for %s, bit map "