From d45774fe03a77218241ab48646a01a30c7b34c9d Mon Sep 17 00:00:00 2001
From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Tue, 4 Sep 2007 12:57:40 +0000
Subject: [PATCH] wildcard DNAME detect

git-svn-id: file:///svn/unbound/trunk@585 be551aaa-1e26-0410-a405-d3ace91eadb9
---
 doc/Changelog         |  1 +
 validator/validator.c | 13 ++++++-------
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/doc/Changelog b/doc/Changelog
index b639f60be..aea42446e 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -7,6 +7,7 @@
 	- neater testbound tpkg output.
 	- DNAMEs no longer match their apex when synthesized from the cache.
 	- find correct signer name for DNAME responses.
+	- wildcarded DNAME test and fixup code to detect.
 
 3 September 2007: Wouter
 	- Fixed error in iterator that would cause assertion failure in 
diff --git a/validator/validator.c b/validator/validator.c
index c10e18c7f..556caf08f 100644
--- a/validator/validator.c
+++ b/validator/validator.c
@@ -335,7 +335,7 @@ validate_msg_signatures(struct module_env* env, struct val_env* ve,
 		 * message is BAD. */
 		if(sec != sec_status_secure) {
 			log_nametypeclass(VERB_DETAIL, "validator: response "
-				"has failed ANSWER rrset: ", s->rk.dname,
+				"has failed ANSWER rrset:", s->rk.dname,
 				ntohs(s->rk.type), ntohs(s->rk.rrset_class));
 			chase_reply->security = sec_status_bogus;
 			return 0;
@@ -358,7 +358,7 @@ validate_msg_signatures(struct module_env* env, struct val_env* ve,
 		 * we have a bad message. */
 		if(sec != sec_status_secure) {
 			log_nametypeclass(VERB_DETAIL, "validator: response "
-				"has failed AUTHORITY rrset: ", s->rk.dname,
+				"has failed AUTHORITY rrset:", s->rk.dname,
 				ntohs(s->rk.type), ntohs(s->rk.rrset_class));
 			chase_reply->security = sec_status_bogus;
 			return 0;
@@ -408,7 +408,7 @@ validate_positive_response(struct query_info* qchase,
 		 * made in the authority section. */
 		if(!val_rrset_wildcard(s, &wc)) {
 			log_nametypeclass(VERB_DETAIL, "Positive response has "
-				"inconsistent wildcard sigs: ", s->rk.dname,
+				"inconsistent wildcard sigs:", s->rk.dname,
 				ntohs(s->rk.type), ntohs(s->rk.rrset_class));
 			chase_reply->security = sec_status_bogus;
 			return;
@@ -697,7 +697,7 @@ validate_cname_response(struct query_info* qchase,
 		 * made in the authority section. */
 		if(!val_rrset_wildcard(s, &wc)) {
 			log_nametypeclass(VERB_DETAIL, "Cname response has "
-				"inconsistent wildcard sigs: ", s->rk.dname,
+				"inconsistent wildcard sigs:", s->rk.dname,
 				ntohs(s->rk.type), ntohs(s->rk.rrset_class));
 			chase_reply->security = sec_status_bogus;
 			return;
@@ -707,10 +707,9 @@ validate_cname_response(struct query_info* qchase,
 		 * Do not follow a wildcarded DNAME because 
 		 * its synthesized CNAME expansion is underdefined */
 		if(qchase->qtype != LDNS_RR_TYPE_DNAME && 
-			ntohs(s->rk.type) == LDNS_RR_TYPE_DNAME &&
-			dname_is_wild(s->rk.dname)) {
+			ntohs(s->rk.type) == LDNS_RR_TYPE_DNAME && wc) {
 			log_nametypeclass(VERB_DETAIL, "cannot validate a "
-				"wildcarded DNAME: ", s->rk.dname, 
+				"wildcarded DNAME:", s->rk.dname, 
 				ntohs(s->rk.type), ntohs(s->rk.rrset_class));
 			chase_reply->security = sec_status_bogus;
 			return;
-- 
2.47.2