From 9f82dd096a47f5c8ce6f8158a2892a139083fc8a Mon Sep 17 00:00:00 2001 From: =?utf8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Wed, 29 May 2024 15:07:46 +0200 Subject: [PATCH] iterate: fix NSEC3 records missing from answer in an edge case When positive wildcard expansion happens, NSEC(3) records are needed to prove that the expansion was allowed. If the NSEC3 had too many iterations, we downgrade the answer to insecure status, but unintentionally we also dropped the NSEC3 record from the answer. That was breaking DNSSEC validation of that answer, e.g. when forwarding to Knot Resolver. The validator needs the NSEC3 - either to validate the expansion or to determine that it's too expensive. --- NEWS | 6 ++++++ lib/layer/iterate.c | 5 ++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index dca743864..5e7990838 100644 --- a/NEWS +++ b/NEWS @@ -5,6 +5,12 @@ Improvements ------------ - stats: add separate metrics for IPv6 and IPv4 (!1544) +Bugfixes +-------- +- fix NSEC3 records missing in answer for positive wildcard expansion + with the NSEC3 having over-limit iteration count (#910, !1550) + + Knot Resolver 5.7.2 (2024-03-27) ================================ diff --git a/lib/layer/iterate.c b/lib/layer/iterate.c index 5d16015ec..656bc2d29 100644 --- a/lib/layer/iterate.c +++ b/lib/layer/iterate.c @@ -825,7 +825,10 @@ static int process_answer(knot_pkt_t *pkt, struct kr_request *req) } } else if (!query->parent) { /* Answer for initial query */ - const bool to_wire = ((pkt_class & (PKT_NXDOMAIN|PKT_NODATA)) != 0); + const bool to_wire = ((pkt_class & (PKT_NXDOMAIN|PKT_NODATA)) != 0) + /* We need to cover the case of positive wildcard answer + * with over-limit NSEC3 iterations. */ + || query->flags.DNSSEC_WEXPAND; state = pick_authority(pkt, req, to_wire); if (state != kr_ok()) { return KR_STATE_FAIL; -- 2.47.2