From c6e92c19b220506a471eac5a86ea803c7cf417b4 Mon Sep 17 00:00:00 2001 From: Wouter Wijngaards Date: Thu, 20 Sep 2007 12:31:35 +0000 Subject: [PATCH] more liberal for ANS ENT bug. Fixup DS ENT handling too. git-svn-id: file:///svn/unbound/trunk@625 be551aaa-1e26-0410-a405-d3ace91eadb9 --- doc/Changelog | 3 + testdata/val_ans_dsent.rpl | 204 ++++++++++++++++++++++++++++++++++++ testdata/val_ans_nx.rpl | 207 +++++++++++++++++++++++++++++++++++++ validator/val_nsec.c | 14 ++- validator/validator.c | 14 ++- 5 files changed, 434 insertions(+), 8 deletions(-) create mode 100644 testdata/val_ans_dsent.rpl create mode 100644 testdata/val_ans_nx.rpl diff --git a/doc/Changelog b/doc/Changelog index bcaf5cca1..101700d8c 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -2,6 +2,9 @@ - fixup and test for NSEC wildcard with empty nonterminals. - makedist.sh fixup for svn info. - acl features request in plan. + - improved DS empty nonterminal handling. + - compat with ANS nxdomain for empty nonterminals. Attempts the nodata + proof anyway, which succeeds in ANS failure case. 19 September 2007: Wouter - comments about non-packed usage. diff --git a/testdata/val_ans_dsent.rpl b/testdata/val_ans_dsent.rpl new file mode 100644 index 000000000..41ba05bbb --- /dev/null +++ b/testdata/val_ans_dsent.rpl @@ -0,0 +1,204 @@ +; config options +; The island of trust is at example.com +server: + trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b" + val-override-date: "20070916134226" + +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test validator with empty nonterminals on the trust chain. + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +328.0.0.194.example.com. IN A +SECTION AUTHORITY +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END +RANGE_END + +; a.gtld-servers.net. +RANGE_BEGIN 0 100 + ADDRESS 192.5.6.30 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +328.0.0.194.example.com. IN A +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END +RANGE_END + +; ns.example.com. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.4 + +; response to DNSKEY priming query +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example.com. IN DNSKEY +SECTION ANSWER +example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} +example.com. 3600 IN RRSIG DNSKEY DSA 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFBQRtlR4BEv9ohi+PGFjp+AHsJuHAhRCvz0shggvnvI88DFnBDCczHUcVA== ;{id = 2854} +SECTION AUTHORITY +example.com. IN NS ns.example.com. +example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} +ENTRY_END + +; responses to DS empty nonterminal queries. +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +194.example.com. IN DS +SECTION AUTHORITY +example.com. 3600 IN SOA ns.example.com. host.example.com. 2007091980 3600 7200 1209600 7200 +example.com. 3600 IN RRSIG SOA 3 2 3600 20070926135752 20070829135752 2854 example.com. MC0CFCOn5qKBIV7bwFMBA+Qqiblx0cylAhUAoFiGtFm2wHhJpq9MooTYdeVw45s= ;{id = 2854} + +; This NSEC proves the NOERROR/NODATA case. +194.example.com. IN NSEC 0.0.194.example.com. A RRSIG NSEC +194.example.com. 3600 IN RRSIG NSEC 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFDcoKl74U9FjsuYF3Vc0E8GQ2GgzAhUAhlyhO2MMcAWQMxIhEZ4MguokN5g= ;{id = 2854} + +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +; this should be NOERROR. +REPLY QR AA NOERROR +SECTION QUESTION +0.194.example.com. IN DS +SECTION AUTHORITY +example.com. 3600 IN SOA ns.example.com. host.example.com. 2007091980 3600 7200 1209600 7200 +example.com. 3600 IN RRSIG SOA 3 2 3600 20070926135752 20070829135752 2854 example.com. MC0CFCOn5qKBIV7bwFMBA+Qqiblx0cylAhUAoFiGtFm2wHhJpq9MooTYdeVw45s= ;{id = 2854} + +; This NSEC proves the NOERROR/NODATA case. +194.example.com. IN NSEC 0.0.194.example.com. A RRSIG NSEC +194.example.com. 3600 IN RRSIG NSEC 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFDcoKl74U9FjsuYF3Vc0E8GQ2GgzAhUAhlyhO2MMcAWQMxIhEZ4MguokN5g= ;{id = 2854} + +ENTRY_END + +; response for delegation to sub zone. +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +328.0.0.194.example.com. IN A +SECTION ANSWER +SECTION AUTHORITY +0.0.194.example.com. IN NS ns.sub.example.com. +0.0.194.example.com. 3600 IN DS 30899 RSASHA1 1 aa46f0717075d9750ac3596c659a2e326b33c28c +0.0.194.example.com. 3600 IN RRSIG DS 3 5 3600 20070926135752 20070829135752 2854 example.com. MCwCFC9GIqtp/103hktw6bPpD83gr+0iAhQ8yev2yUaR9l64rYBUYTJqOoTKdw== ;{id = 2854} +SECTION ADDITIONAL +ns.sub.example.com. IN A 1.2.3.6 +ENTRY_END + +; response for delegation to sub zone +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +0.0.194.example.com. IN DNSKEY +SECTION ANSWER +SECTION AUTHORITY +0.0.194.example.com. IN NS ns.sub.example.com. +0.0.194.example.com. 3600 IN DS 30899 RSASHA1 1 aa46f0717075d9750ac3596c659a2e326b33c28c +0.0.194.example.com. 3600 IN RRSIG DS 3 5 3600 20070926135752 20070829135752 2854 example.com. MCwCFC9GIqtp/103hktw6bPpD83gr+0iAhQ8yev2yUaR9l64rYBUYTJqOoTKdw== ;{id = 2854} +SECTION ADDITIONAL +ns.sub.example.com. IN A 1.2.3.6 +ENTRY_END +RANGE_END + +; ns.sub.example.com. for zone 0.0.194.example.com. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.6 + +; response to DNSKEY priming query +; 0.0.194.example.com. 3600 IN DS 30899 RSASHA1 1 aa46f0717075d9750ac3596c659a2e326b33c28c +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +0.0.194.example.com. IN DNSKEY +SECTION ANSWER +0.0.194.example.com. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} +0.0.194.example.com. 3600 IN RRSIG DNSKEY 5 5 3600 20070926135752 20070829135752 30899 0.0.194.example.com. fSmc7ef6NwbDXC0o4wPc/aa8LakW5ZJwEZ4xPYl3tTZKmPNM7hPXskl1tFlvst9Va4u37F62v+16trprHb+SCQ== ;{id = 30899} +SECTION AUTHORITY +0.0.194.example.com. IN NS ns.sub.example.com. +0.0.194.example.com. 3600 IN RRSIG NS 5 5 3600 20070926135752 20070829135752 30899 0.0.194.example.com. KXDA+/PJAE+dXhv6O6Z0ZovDwabSRJcIt+GT5AL6ewlj46hzo/SDKUtEhYCeT1IVQvYtXrESwFZjpp7N0rXXBg== ;{id = 30899} +SECTION ADDITIONAL +ns.sub.example.com. IN A 1.2.3.6 +ENTRY_END + +; response to query of interest +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +328.0.0.194.example.com. IN A +SECTION ANSWER +328.0.0.194.example.com. IN A 11.11.11.11 +328.0.0.194.example.com. 3600 IN RRSIG A 5 6 3600 20070926135752 20070829135752 30899 0.0.194.example.com. chZW77mqywhw/4ch6BxXQ4EbFgb9zgh2xF75FLlKq/7ey6CfHSJRpJRjRqtMTn+1i18UL2B4nPS/WnK5DZeqlA== ;{id = 30899} +SECTION AUTHORITY +SECTION ADDITIONAL +ENTRY_END +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +328.0.0.194.example.com. IN A +ENTRY_END + +; recursion happens here. +STEP 10 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AD NOERROR +SECTION QUESTION +328.0.0.194.example.com. IN A +SECTION ANSWER +328.0.0.194.example.com. 3600 IN A 11.11.11.11 +SECTION AUTHORITY +SECTION ADDITIONAL +ENTRY_END + +SCENARIO_END diff --git a/testdata/val_ans_nx.rpl b/testdata/val_ans_nx.rpl new file mode 100644 index 000000000..ac0fba5bb --- /dev/null +++ b/testdata/val_ans_nx.rpl @@ -0,0 +1,207 @@ +; config options +; The island of trust is at example.com +server: + trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b" + val-override-date: "20070916134226" + +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test validator with DS nodata as nxdomain on trust chain +; This is a bug in ANS 2.8.1.0 where it gives an NXDOMAIN instead of +; NOERROR for an empty nonterminal DS query. The proof for this NXDOMAIN +; is the NSEC that proves emptynonterminal. + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +328.0.0.194.example.com. IN A +SECTION AUTHORITY +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END +RANGE_END + +; a.gtld-servers.net. +RANGE_BEGIN 0 100 + ADDRESS 192.5.6.30 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +328.0.0.194.example.com. IN A +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END +RANGE_END + +; ns.example.com. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.4 + +; response to DNSKEY priming query +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example.com. IN DNSKEY +SECTION ANSWER +example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} +example.com. 3600 IN RRSIG DNSKEY DSA 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFBQRtlR4BEv9ohi+PGFjp+AHsJuHAhRCvz0shggvnvI88DFnBDCczHUcVA== ;{id = 2854} +SECTION AUTHORITY +example.com. IN NS ns.example.com. +example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} +ENTRY_END + +; responses to DS empty nonterminal queries. +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +194.example.com. IN DS +SECTION AUTHORITY +example.com. 3600 IN SOA ns.example.com. host.example.com. 2007091980 3600 7200 1209600 7200 +example.com. 3600 IN RRSIG SOA 3 2 3600 20070926135752 20070829135752 2854 example.com. MC0CFCOn5qKBIV7bwFMBA+Qqiblx0cylAhUAoFiGtFm2wHhJpq9MooTYdeVw45s= ;{id = 2854} + +; This NSEC proves the NOERROR/NODATA case. +194.example.com. IN NSEC 0.0.194.example.com. A RRSIG NSEC +194.example.com. 3600 IN RRSIG NSEC 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFDcoKl74U9FjsuYF3Vc0E8GQ2GgzAhUAhlyhO2MMcAWQMxIhEZ4MguokN5g= ;{id = 2854} + +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +; Bad NXDOMAIN response, this should be NOERROR. +REPLY QR AA NXDOMAIN +SECTION QUESTION +0.194.example.com. IN DS +SECTION AUTHORITY +example.com. 3600 IN SOA ns.example.com. host.example.com. 2007091980 3600 7200 1209600 7200 +example.com. 3600 IN RRSIG SOA 3 2 3600 20070926135752 20070829135752 2854 example.com. MC0CFCOn5qKBIV7bwFMBA+Qqiblx0cylAhUAoFiGtFm2wHhJpq9MooTYdeVw45s= ;{id = 2854} + +; This NSEC proves the NOERROR/NODATA case. +194.example.com. IN NSEC 0.0.194.example.com. A RRSIG NSEC +194.example.com. 3600 IN RRSIG NSEC 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFDcoKl74U9FjsuYF3Vc0E8GQ2GgzAhUAhlyhO2MMcAWQMxIhEZ4MguokN5g= ;{id = 2854} + +ENTRY_END + +; response for delegation to sub zone. +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +328.0.0.194.example.com. IN A +SECTION ANSWER +SECTION AUTHORITY +0.0.194.example.com. IN NS ns.sub.example.com. +0.0.194.example.com. 3600 IN DS 30899 RSASHA1 1 aa46f0717075d9750ac3596c659a2e326b33c28c +0.0.194.example.com. 3600 IN RRSIG DS 3 5 3600 20070926135752 20070829135752 2854 example.com. MCwCFC9GIqtp/103hktw6bPpD83gr+0iAhQ8yev2yUaR9l64rYBUYTJqOoTKdw== ;{id = 2854} +SECTION ADDITIONAL +ns.sub.example.com. IN A 1.2.3.6 +ENTRY_END + +; response for delegation to sub zone +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +0.0.194.example.com. IN DNSKEY +SECTION ANSWER +SECTION AUTHORITY +0.0.194.example.com. IN NS ns.sub.example.com. +0.0.194.example.com. 3600 IN DS 30899 RSASHA1 1 aa46f0717075d9750ac3596c659a2e326b33c28c +0.0.194.example.com. 3600 IN RRSIG DS 3 5 3600 20070926135752 20070829135752 2854 example.com. MCwCFC9GIqtp/103hktw6bPpD83gr+0iAhQ8yev2yUaR9l64rYBUYTJqOoTKdw== ;{id = 2854} +SECTION ADDITIONAL +ns.sub.example.com. IN A 1.2.3.6 +ENTRY_END +RANGE_END + +; ns.sub.example.com. for zone 0.0.194.example.com. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.6 + +; response to DNSKEY priming query +; 0.0.194.example.com. 3600 IN DS 30899 RSASHA1 1 aa46f0717075d9750ac3596c659a2e326b33c28c +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +0.0.194.example.com. IN DNSKEY +SECTION ANSWER +0.0.194.example.com. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} +0.0.194.example.com. 3600 IN RRSIG DNSKEY 5 5 3600 20070926135752 20070829135752 30899 0.0.194.example.com. fSmc7ef6NwbDXC0o4wPc/aa8LakW5ZJwEZ4xPYl3tTZKmPNM7hPXskl1tFlvst9Va4u37F62v+16trprHb+SCQ== ;{id = 30899} +SECTION AUTHORITY +0.0.194.example.com. IN NS ns.sub.example.com. +0.0.194.example.com. 3600 IN RRSIG NS 5 5 3600 20070926135752 20070829135752 30899 0.0.194.example.com. KXDA+/PJAE+dXhv6O6Z0ZovDwabSRJcIt+GT5AL6ewlj46hzo/SDKUtEhYCeT1IVQvYtXrESwFZjpp7N0rXXBg== ;{id = 30899} +SECTION ADDITIONAL +ns.sub.example.com. IN A 1.2.3.6 +ENTRY_END + +; response to query of interest +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +328.0.0.194.example.com. IN A +SECTION ANSWER +328.0.0.194.example.com. IN A 11.11.11.11 +328.0.0.194.example.com. 3600 IN RRSIG A 5 6 3600 20070926135752 20070829135752 30899 0.0.194.example.com. chZW77mqywhw/4ch6BxXQ4EbFgb9zgh2xF75FLlKq/7ey6CfHSJRpJRjRqtMTn+1i18UL2B4nPS/WnK5DZeqlA== ;{id = 30899} +SECTION AUTHORITY +SECTION ADDITIONAL +ENTRY_END +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +328.0.0.194.example.com. IN A +ENTRY_END + +; recursion happens here. +STEP 10 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AD NOERROR +SECTION QUESTION +328.0.0.194.example.com. IN A +SECTION ANSWER +328.0.0.194.example.com. 3600 IN A 11.11.11.11 +SECTION AUTHORITY +SECTION ADDITIONAL +ENTRY_END + +SCENARIO_END diff --git a/validator/val_nsec.c b/validator/val_nsec.c index eb76fc834..758e25cf4 100644 --- a/validator/val_nsec.c +++ b/validator/val_nsec.c @@ -156,8 +156,6 @@ val_nsec_proves_no_ds(struct ub_packed_rrset_key* nsec, { log_assert(qinfo->qtype == LDNS_RR_TYPE_DS); log_assert(ntohs(nsec->rk.type) == LDNS_RR_TYPE_NSEC); - /* this proof may also work if qname is a subdomain */ - log_assert(query_dname_compare(nsec->rk.dname, qinfo->qname) == 0); if(nsec_has_type(nsec, LDNS_RR_TYPE_SOA) && qinfo->qname_len != 1) { /* SOA present means that this is the NSEC from the child, @@ -191,6 +189,7 @@ val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve, size_t i; uint8_t* wc = NULL, *ce = NULL; int valid_nsec = 0; + struct ub_packed_rrset_key* wc_nsec = NULL; /* If we have a NSEC at the same name, it must prove one * of two things @@ -237,6 +236,8 @@ val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve, verbose(VERB_ALGO, "NSEC for empty non-terminal " "proved no DS."); *proof_ttl = rrset_get_ttl(rep->rrsets[i]); + if(wc && dname_is_wild(rep->rrsets[i]->rk.dname)) + wc_nsec = rep->rrsets[i]; valid_nsec = 1; } if(val_nsec_proves_name_error(rep->rrsets[i], qinfo->qname)) { @@ -250,9 +251,16 @@ val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve, /* ce and wc must match */ if(query_dname_compare(wc, ce) != 0) valid_nsec = 0; + else if(!wc_nsec) + valid_nsec = 0; } if(valid_nsec) { - return sec_status_secure; + if(wc) { + /* check if this is a delegation */ + return val_nsec_proves_no_ds(wc_nsec, qinfo); + } + /* valid nsec proves empty nonterminal */ + return sec_status_insecure; } /* NSEC proof did not conlusively point to DS or no DS */ diff --git a/validator/validator.c b/validator/validator.c index 14f57078b..571f981f7 100644 --- a/validator/validator.c +++ b/validator/validator.c @@ -1677,11 +1677,17 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq, *ke = key_entry_create_rrset(qstate->region, qinfo->qname, qinfo->qname_len, qinfo->qclass, ds); return (*ke) != NULL; - } else if(subtype == VAL_CLASS_NODATA) { + } else if(subtype == VAL_CLASS_NODATA || + subtype == VAL_CLASS_NAMEERROR) { /* NODATA means that the qname exists, but that there was * no DS. This is a pretty normal case. */ uint32_t proof_ttl = 0; + /* For subtype Name Error. + * attempt ANS 2.8.1.0 compatibility where it sets rcode + * to nxdomain, but really this is an Nodata/Noerror response. + * Find and prove the empty nonterminal in that case */ + /* Try to prove absence of the DS with NSEC */ enum sec_status sec = val_nsec_prove_nodata_dsreply( qstate->env, ve, qinfo, msg->rep, vq->key_entry, @@ -1738,10 +1744,8 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq, /* Apparently, no available NSEC/NSEC3 proved NODATA, so * this is BOGUS. */ - verbose(VERB_DETAIL, "DS ran out of options, so return bogus"); - goto return_bogus; - } else if(subtype == VAL_CLASS_NAMEERROR) { - verbose(VERB_DETAIL, "DS response was NAMEERROR, thus bogus."); + verbose(VERB_DETAIL, "DS %s ran out of options, so return " + "bogus", val_classification_to_string(subtype)); goto return_bogus; } else { verbose(VERB_DETAIL, "Encountered an unhandled type of " -- 2.47.2