From: Evan Hunt Date: Sat, 23 May 2026 04:04:03 +0000 (-0700) Subject: Check that an NSEC signer is at or above the name to be validated X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c5f99f3508b74e9c4532441d6a63f0d5e490dea7;p=thirdparty%2Fbind9.git Check that an NSEC signer is at or above the name to be validated Add a check that an NSEC record being used as a proof of nonexistence for a given name is not signed by a name lower in the DNS hierarchy than the one in question. Fixes: isc-projects/bind9#5876 --- diff --git a/lib/dns/nsec.c b/lib/dns/nsec.c index fabe279d504..eda153cbe25 100644 --- a/lib/dns/nsec.c +++ b/lib/dns/nsec.c @@ -416,6 +416,18 @@ dns_nsec_noexistnodata(dns_rdatatype_t type, const dns_name_t *name, return DNS_R_DNAME; } + if (relation != dns_namereln_subdomain && + dns_nsec_typepresent(&rdata, dns_rdatatype_soa)) + { + /* + * An NSEC with an SOA in the bitmap can only cover + * names that are subdomains of the owner. + */ + (*logit)(arg, ISC_LOG_DEBUG(3), + "ignoring nsec with SOA covering non-subdomain"); + return ISC_R_IGNORE; + } + RETERR(dns_rdata_tostruct(&rdata, &nsec, NULL)); relation = dns_name_fullcompare(&nsec.next, name, &order, &nlabels); if (order == 0) { diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 576c02acb29..54e410c834c 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -851,6 +851,8 @@ validator_callback_nsec(void *arg) { rdataset->trust == dns_trust_secure && (NEEDNODATA(val) || NEEDNOQNAME(val)) && !FOUNDNODATA(val) && !FOUNDNOQNAME(val) && + dns_name_issubdomain(val->name, + &subvalidator->siginfo->signer) && dns_nsec_noexistnodata(val->type, val->name, subvalidator->name, rdataset, &exists, &data, wild, validator_log, diff --git a/lib/ns/query.c b/lib/ns/query.c index 583bcdf8a64..ec8b3df8683 100644 --- a/lib/ns/query.c +++ b/lib/ns/query.c @@ -9522,6 +9522,13 @@ query_coveringnsec(query_ctx_t *qctx) { goto cleanup; } + /* + * The query name can't be above the signer of the NSEC. + */ + if (!dns_name_issubdomain(qctx->client->query.qname, signer)) { + goto cleanup; + } + /* * If NSEC or RRSIG are missing from the type map * reject the NSEC RRset.