From: Willem Toorop Date: Fri, 10 Oct 2014 21:22:06 +0000 (+0200) Subject: Fit left over NSEC3s once more before adding ents X-Git-Tag: release-1.7.0-rc1~134 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=df647670ecc632d842d9ed5746964714b75a6fc3;p=thirdparty%2Fldns.git Fit left over NSEC3s once more before adding ents Where ents is empty-non-terminals. Thanks Stuart Browne. --- diff --git a/Changelog b/Changelog index 5a9390f3..d1df1c04 100644 --- a/Changelog +++ b/Changelog @@ -30,6 +30,8 @@ TBD * Let ldns-keygen output .ds files only for KSK keys * Parse RFC7218 TLSA mnemonics, but do not output them * Let ldns-dane use SPKI as the default selector i.s.o. Cert + * bugfix: Fit left over NSEC3s once more before adding empty non + terminals. Thanks Stuart Browne 1.6.17 2014-01-10 * Fix ldns_dnssec_zone_new_frm_fp_l to allow the last parsed line of a diff --git a/dnssec_zone.c b/dnssec_zone.c index 70b6627f..0f9edc00 100644 --- a/dnssec_zone.c +++ b/dnssec_zone.c @@ -604,11 +604,19 @@ ldns_dnssec_zone_new_frm_fp_l(ldns_dnssec_zone** z, FILE* fp, ldns_rdf* origin, ldns_rdf *my_prev = NULL; ldns_dnssec_zone *newzone = ldns_dnssec_zone_new(); + /* NSEC3s may occur before the names they refer to. We must remember + them and add them to the name later on, after the name is read. + We track not yet matching NSEC3s*n the todo_nsec3s list */ + ldns_rr_list* todo_nsec3s = ldns_rr_list_new(); /* when reading NSEC3s, there is a chance that we encounter nsecs for empty nonterminals, whose nonterminals we cannot derive yet - because the needed information is to be read later. in that case - we keep a list of those nsec3's and retry to add them later */ - ldns_rr_list* todo_nsec3s = ldns_rr_list_new(); + because the needed information is to be read later. + + nsec3_ents (where ent is e.n.t.; i.e. empty non terminal) will + hold the NSEC3s that still didn't have a matching name in the + zone tree, even after all names were read. They can only match + after the zone is equiped with all the empty non terminals. */ + ldns_rr_list* todo_nsec3_ents = ldns_rr_list_new(); ldns_rr_list* todo_nsec3_rrsigs = ldns_rr_list_new(); ldns_status status; @@ -690,23 +698,25 @@ ldns_dnssec_zone_new_frm_fp_l(ldns_dnssec_zone** z, FILE* fp, ldns_rdf* origin, } } - if (ldns_rr_list_rr_count(todo_nsec3s) > 0) { + for (i = 0; status == LDNS_STATUS_OK && + i < ldns_rr_list_rr_count(todo_nsec3s); i++) { + cur_rr = ldns_rr_list_rr(todo_nsec3s, i); + status = ldns_dnssec_zone_add_rr(newzone, cur_rr); + if (status == LDNS_STATUS_DNSSEC_NSEC3_ORIGINAL_NOT_FOUND) + ldns_rr_list_push_rr(todo_nsec3_ents, cur_rr); + } + if (ldns_rr_list_rr_count(todo_nsec3_ents) > 0) (void) ldns_dnssec_zone_add_empty_nonterminals(newzone); - for (i = 0; status == LDNS_STATUS_OK && - i < ldns_rr_list_rr_count(todo_nsec3s); i++) { - cur_rr = ldns_rr_list_rr(todo_nsec3s, i); - status = ldns_dnssec_zone_add_rr(newzone, cur_rr); - } - } - if (ldns_rr_list_rr_count(todo_nsec3_rrsigs) > 0) { - for (i = 0; status == LDNS_STATUS_OK && - i < ldns_rr_list_rr_count(todo_nsec3_rrsigs); - i++){ - cur_rr = ldns_rr_list_rr(todo_nsec3_rrsigs, i); - status = ldns_dnssec_zone_add_rr(newzone, cur_rr); - } + for (i = 0; status == LDNS_STATUS_OK && + i < ldns_rr_list_rr_count(todo_nsec3_ents); i++) { + cur_rr = ldns_rr_list_rr(todo_nsec3s, i); + status = ldns_dnssec_zone_add_rr(newzone, cur_rr); + } + for (i = 0; status == LDNS_STATUS_OK && + i < ldns_rr_list_rr_count(todo_nsec3_rrsigs); i++) { + cur_rr = ldns_rr_list_rr(todo_nsec3_rrsigs, i); + status = ldns_dnssec_zone_add_rr(newzone, cur_rr); } - if (z) { *z = newzone; newzone = NULL; @@ -721,6 +731,7 @@ error: } #endif ldns_rr_list_free(todo_nsec3_rrsigs); + ldns_rr_list_free(todo_nsec3_ents); ldns_rr_list_free(todo_nsec3s); if (my_origin) {