From: Kees Monshouwer Date: Thu, 21 Nov 2013 20:46:16 +0000 (+0100) Subject: fix NSEC wildcard denial X-Git-Tag: auth-3.3.1~34^2~10 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f75293febb76251b3b86c4037d77057f9df912ef;p=thirdparty%2Fpdns.git fix NSEC wildcard denial --- diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc index 56bb7e9fc8..f1452ddb91 100644 --- a/pdns/packethandler.cc +++ b/pdns/packethandler.cc @@ -426,7 +426,7 @@ void PacketHandler::emitNSEC(const std::string& begin, const std::string& end, c NSECRecordContent nrc; nrc.d_set.insert(QType::RRSIG); nrc.d_set.insert(QType::NSEC); - if(sd.qname == begin) + if(pdns_iequals(sd.qname, begin)) nrc.d_set.insert(QType::DNSKEY); DNSResourceRecord rr; @@ -669,20 +669,17 @@ void PacketHandler::addNSEC(DNSPacket *p, DNSPacket *r, const string& target, co sd.db->getBeforeAndAfterNames(sd.domain_id, auth, target, before, after); emitNSEC(before, after, target, sd, r, mode); - if (mode == 2) { - // wildcard NO-DATA + if (mode == 2 || mode == 4) { + // wildcard NO-DATA or wildcard denial before.clear(); - sd.db->getBeforeAndAfterNames(sd.domain_id, auth, wildcard, before, after); + string closest(wildcard); + if (mode == 4) { + (void) chopOff(closest); + closest=dotConcat("*", closest); + } + sd.db->getBeforeAndAfterNames(sd.domain_id, auth, closest, before, after); emitNSEC(before, after, target, sd, r, mode); } - - if (mode == 4) { - // this one does wildcard denial, if applicable - before='.'; - sd.db->getBeforeAndAfterNames(sd.domain_id, auth, auth, before, after); - emitNSEC(auth, after, auth, sd, r, mode); - } - return; } diff --git a/regression-tests.nobackend/tinydns-data-check/expected_result b/regression-tests.nobackend/tinydns-data-check/expected_result index 62d0ff0a25..70dd7577c1 100644 --- a/regression-tests.nobackend/tinydns-data-check/expected_result +++ b/regression-tests.nobackend/tinydns-data-check/expected_result @@ -5,4 +5,4 @@ a2dd754820cb88fdd3d80b54a212a270 ../regression-tests/test.com 42dd3a56c7d268e75836371878819ec4 ../regression-tests/delegated.dnssec-parent.com a63dc120391d9df0003f2ec4f461a6af ../regression-tests/secure-delegated.dnssec-parent.com 24514dc104b22206daeb973ff9303545 ../regression-tests/minimal.com -b62dc3974faf53b7f5ffbaa70788fcfe ../modules/tinydnsbackend/data.cdb +a7eda9fdfd9a73961338ad661526c39c ../modules/tinydnsbackend/data.cdb diff --git a/regression-tests/nxdomain-below-nonempty-terminal/expected_result b/regression-tests/nxdomain-below-nonempty-terminal/expected_result index 5943dc0950..ee42de95ed 100644 --- a/regression-tests/nxdomain-below-nonempty-terminal/expected_result +++ b/regression-tests/nxdomain-below-nonempty-terminal/expected_result @@ -1,5 +1,3 @@ -1 example.com. IN NSEC 86400 double.example.com. NS SOA MX RRSIG NSEC DNSKEY -1 example.com. IN RRSIG 86400 NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ... 1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ... 1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400 1 outpost.example.com. IN NSEC 86400 semi-external.example.com. A RRSIG NSEC diff --git a/regression-tests/second-level-nxdomain/expected_result b/regression-tests/second-level-nxdomain/expected_result index 3b761e31df..27ce149d24 100644 --- a/regression-tests/second-level-nxdomain/expected_result +++ b/regression-tests/second-level-nxdomain/expected_result @@ -1,5 +1,3 @@ -1 example.com. IN NSEC 86400 double.example.com. NS SOA MX RRSIG NSEC DNSKEY -1 example.com. IN RRSIG 86400 NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ... 1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ... 1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400 1 outpost.example.com. IN NSEC 86400 semi-external.example.com. A RRSIG NSEC