From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Thu, 1 Sep 2016 09:04:05 +0000 (+0200)
Subject: DNSSEC: Actually follow RFC 7646 §2.1
X-Git-Tag: dnsdist-1.1.0-beta2~158^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f418a272a9b031ea1eddf031548a16e23a35bd82;p=thirdparty%2Fpdns.git

DNSSEC: Actually follow RFC 7646 §2.1

We were off by one when counting labels, so when an NTA was added for a
name where a TA was configured, we would still attempt validation.

Reported by @jpmens
---

diff --git a/pdns/validate.cc b/pdns/validate.cc
index 83f7b973a1..d1fdf4eef7 100644
--- a/pdns/validate.cc
+++ b/pdns/validate.cc
@@ -183,7 +183,7 @@ vState getKeysFor(DNSRecordOracle& dro, const DNSName& zone, keyset_t &keyset)
     DNSName lowestNTA;
 
     for (auto const &negAnchor : negAnchors)
-      if (zone.isPartOf(negAnchor.first) && lowestNTA.countLabels() < negAnchor.first.countLabels())
+      if (zone.isPartOf(negAnchor.first) && lowestNTA.countLabels() <= negAnchor.first.countLabels())
         lowestNTA = negAnchor.first;
 
     if(!lowestNTA.empty()) {
@@ -194,7 +194,7 @@ vState getKeysFor(DNSRecordOracle& dro, const DNSName& zone, keyset_t &keyset)
        * attempt validation for. However, section 3 tells us this positive
        * Trust Anchor MUST be *below* the name and not the name itself
        */
-      if(lowestTA.countLabels() < lowestNTA.countLabels()) {
+      if(lowestTA.countLabels() <= lowestNTA.countLabels()) {
         LOG("marking answer Insecure"<<endl);
         return NTA; // Not Insecure, this way validateRecords() can shortcut
       }