From: Vladimír Čunát <vladimir.cunat@nic.cz>
Date: Wed, 28 Jun 2017 06:48:40 +0000 (+0200)
Subject: dnssec/nsec: add a precaution when checking DS nodata
X-Git-Tag: v1.3.2~17^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=de979a3b735f944ee94c51776d97e1c046dde9d7;p=thirdparty%2Fknot-resolver.git

dnssec/nsec: add a precaution when checking DS nodata

I just found it by accident when studying RFCs again.
Hmm, I'd like an operator for logical implication; I'm spoiled by Maths.
---

diff --git a/lib/dnssec/nsec.c b/lib/dnssec/nsec.c
index 56d6aa271..ea64678ea 100644
--- a/lib/dnssec/nsec.c
+++ b/lib/dnssec/nsec.c
@@ -237,7 +237,14 @@ static int no_data_response_check_rrtype(int *flags, const knot_rrset_t *nsec,
 
 	if (!kr_nsec_bitmap_contains_type(bm, bm_size, type)) {
 		/* The type is not listed in the NSEC bitmap. */
-		*flags |= FLG_NOEXIST_RRTYPE;
+		/* Security feature: in case of DS also check for SOA
+		 * non-existence to be more certain that we don't hold
+		 * a child-side NSEC by some mistake (e.g. when forwarding).
+		 * See RFC4035 5.2, next-to-last paragraph. */
+		if (type != KNOT_RRTYPE_DS
+		    || !kr_nsec_bitmap_contains_type(bm, bm_size, KNOT_RRTYPE_SOA)) {
+			*flags |= FLG_NOEXIST_RRTYPE;
+		}
 	}
 
 	return kr_ok();