From bb07ad8e1965722497698c4b3df8ea397889e729 Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Fri, 9 Jun 2017 11:38:22 +0200
Subject: [PATCH] rec: Add and clarify RRSIG labels checks

---
 pdns/syncres.cc  | 7 ++++++-
 pdns/validate.cc | 5 +++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index cdc0733421..3ab08bfc5d 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -1616,7 +1616,12 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr
     if(rec.d_type == QType::RRSIG) {
       auto rrsig = getRR<RRSIGRecordContent>(rec);
       if (rrsig) {
-        if (rec.d_name == qname && rrsig->d_labels < rec.d_name.countLabels()) {
+        unsigned int labelCount = rec.d_name.countLabels();
+        /* As illustrated in rfc4035's Appendix B.6, the RRSIG label
+           count can be lower than the name's label count if it was
+           synthesized from the wildcard. Note that the difference might
+           be > 1. */
+        if (rec.d_name == qname && rrsig->d_labels < labelCount) {
           LOG(prefix<<qname<<": RRSIG indicates the name was expanded from a wildcard, we need a wildcard proof"<<endl);
           needWildcardProof = true;
         }
diff --git a/pdns/validate.cc b/pdns/validate.cc
index 20decbcde2..9790131dc5 100644
--- a/pdns/validate.cc
+++ b/pdns/validate.cc
@@ -264,6 +264,11 @@ bool validateWithKeySet(time_t now, const DNSName& name, const vector<shared_ptr
   bool isValid = false;
 
   for(const auto& signature : signatures) {
+    unsigned int labelCount = name.countLabels();
+    if (signature->d_labels > labelCount) {
+      LOG(name<<": Discarding invalid RRSIG whose label count is "<<signature->d_labels<<" while the RRset owner name has only "<<labelCount<<endl);
+    }
+
     vector<shared_ptr<DNSRecordContent> > toSign = records;
 
     auto r = getByTag(keys, signature->d_tag, signature->d_algorithm);
-- 
2.47.2