From 5ae212e6a34825f5233632e53bed5fe4cb2f0e69 Mon Sep 17 00:00:00 2001
From: Kees Monshouwer <mind04@monshouwer.org>
Date: Fri, 27 Mar 2015 20:19:36 +0100
Subject: [PATCH] pdnssec: warn for insecure wildcards in opt-out zones

---
 pdns/pdnssec.cc | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/pdns/pdnssec.cc b/pdns/pdnssec.cc
index 14a0d44ac2..cff8ca5ca6 100644
--- a/pdns/pdnssec.cc
+++ b/pdns/pdnssec.cc
@@ -405,7 +405,15 @@ int checkZone(DNSSECKeeper &dk, UeberBackend &B, const std::string& zone)
     cout<<"Checked 0 records of '"<<zone<<"', 1 errors, 0 warnings."<<endl;
     return 1;
   }
+
+  NSEC3PARAMRecordContent ns3pr;
+  bool narrow = false;
+  bool haveNSEC3 = dk.getNSEC3PARAM(zone, &ns3pr, &narrow);
+  bool isOptOut=(haveNSEC3 && ns3pr.d_flags);
+
+  bool isSecure=dk.isSecuredZone(zone);
   bool presigned=dk.isPresigned(zone);
+
   sd.db->list(zone, sd.domain_id, true);
   DNSResourceRecord rr;
   uint64_t numrecords=0, numerrors=0, numwarnings=0;
@@ -494,6 +502,12 @@ int checkZone(DNSSECKeeper &dk, UeberBackend &B, const std::string& zone)
       continue;
     }
 
+    if (isSecure && isOptOut && (rr.qname.size() && rr.qname[0] == '*') && (rr.qname.size() < 2 || rr.qname[1] == '.' )) {
+      cout<<"[Warning] wildcard record '"<<rr.qname<<" IN " <<rr.qtype.getName()<<" "<<rr.content<<"' is insecure"<<endl;
+      cout<<"[Info] Wildcard records in opt-out zones are insecure. Disable the opt-out flag for this zone to avoid this warning. Command: pdnssec set-nsec3 "<<zone<<endl;
+      numwarnings++;
+    }
+
     if(pdns_iequals(rr.qname, zone)) {
       if (rr.qtype.getCode() == QType::NS) {
         hasNsAtApex=true;
-- 
2.47.2