From: Wouter Wijngaards Date: Wed, 15 Sep 2010 07:08:09 +0000 (+0000) Subject: - Abide RFC5155 section 9.2: no AD flag for replies with NSEC3 optout. X-Git-Tag: release-1.4.7rc1~92 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c3f180eebb8ea0a55f2c506d5e9dac85f80078d2;p=thirdparty%2Funbound.git - Abide RFC5155 section 9.2: no AD flag for replies with NSEC3 optout. git-svn-id: file:///svn/unbound/trunk@2233 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/doc/Changelog b/doc/Changelog index 00834433b..8d4a5ce51 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +15 September 2010: Wouter + - Abide RFC5155 section 9.2: no AD flag for replies with NSEC3 optout. + 14 September 2010: Wouter - increased mesh-max-activation from 1000 to 3000 for crazy domains like _tcp.slb.com with 262 servers. diff --git a/testdata/val_nsec3_optout_ad.rpl b/testdata/val_nsec3_optout_ad.rpl index cf81ba3b7..50d6fe099 100644 --- a/testdata/val_nsec3_optout_ad.rpl +++ b/testdata/val_nsec3_optout_ad.rpl @@ -185,11 +185,12 @@ sub.example.com. IN DS ENTRY_END ; recursion happens here. -; the same answer gives AD flag for DS, because the optout says no DS exists. +; no AD flag here because of RFC5155 9.2 section. +; even though we are sure there is no DS, this is what the RFC says. STEP 30 CHECK_ANSWER ENTRY_BEGIN MATCH all -REPLY QR RD RA AD NOERROR +REPLY QR RD RA NOERROR SECTION QUESTION sub.example.com. IN DS SECTION ANSWER diff --git a/validator/val_nsec3.c b/validator/val_nsec3.c index af01b2438..e966ca7bf 100644 --- a/validator/val_nsec3.c +++ b/validator/val_nsec3.c @@ -1179,10 +1179,8 @@ nsec3_do_prove_nodata(struct module_env* env, struct nsec3_filter* flt, "-- no more options, bogus."); return sec_status_bogus; } - /* the optout is a secure denial of DS records */ - if(qinfo->qtype != LDNS_RR_TYPE_DS) - return sec_status_insecure; - return sec_status_secure; + /* RFC5155 section 9.2: if nc has optout then no AD flag set */ + return sec_status_insecure; } enum sec_status @@ -1348,7 +1346,8 @@ nsec3_prove_nods(struct module_env* env, struct val_env* ve, "DS NOERROR/NODATA case"; return sec_status_bogus; } - return sec_status_secure; + /* RFC5155 section 9.2: if nc has optout then no AD flag set */ + return sec_status_insecure; } enum sec_status diff --git a/validator/validator.c b/validator/validator.c index 75d44ee9c..ce6d71b4d 100644 --- a/validator/validator.c +++ b/validator/validator.c @@ -2428,6 +2428,10 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq, msg->rep->rrsets + msg->rep->an_numrrsets, msg->rep->ns_numrrsets, qinfo, vq->key_entry, &reason); switch(sec) { + case sec_status_insecure: + /* case insecure also continues to unsigned + * space. If nsec3-iter-count too high or + * optout, then treat below as unsigned */ case sec_status_secure: verbose(VERB_DETAIL, "NSEC3s for the " "referral proved no DS."); @@ -2446,7 +2450,6 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq, "referral did not prove no DS."); errinf(qstate, reason); goto return_bogus; - case sec_status_insecure: case sec_status_unchecked: default: /* NSEC3 proof did not work */