- Use NSEC with longest ce to prove wildcard absence.

- Only use *.ce to prove wildcard absence, no longer names.

git-svn-id: file:///svn/unbound/trunk@4460 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/doc/Changelog b/doc/Changelog
index 2da993bd2d7c36d3a933f02f4358e828af4917b6..7fc9f26a4b9ba03f2a6c68b8e00e3ec87cb777ca 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+29 January 2018: Ralph
+       - Use NSEC with longest ce to prove wildcard absence.
+       - Only use *.ce to prove wildcard absence, no longer names.
+
 25 January 2018: Wouter
        - ltrace.conf file for libunbound in contrib.
 

diff --git a/validator/val_nsec.c b/validator/val_nsec.c
index 4604f3d6d423229d4834c07bff83c33bd6edf995..a795e77339d3449b078e611c9b32d48919c87a49 100644 (file)
--- a/validator/val_nsec.c
+++ b/validator/val_nsec.c
@@ -513,7 +513,6 @@ val_nsec_proves_no_wc(struct ub_packed_rrset_key* nsec, uint8_t* qname,
        /* Determine if a NSEC record proves the non-existence of a 
         * wildcard that could have produced qname. */
        int labs;
-       int i;
        uint8_t* ce = nsec_closest_encloser(qname, nsec);
        uint8_t* strip;
        size_t striplen;
@@ -526,13 +525,13 @@ val_nsec_proves_no_wc(struct ub_packed_rrset_key* nsec, uint8_t* qname,
         * and next names. */
        labs = dname_count_labels(qname) - dname_count_labels(ce);
 
-       for(i=labs; i>0; i--) {
+       if(labs > 0) {
                /* i is number of labels to strip off qname, prepend * wild */
                strip = qname;
                striplen = qnamelen;
-               dname_remove_labels(&strip, &striplen, i);
+               dname_remove_labels(&strip, &striplen, labs);
                if(striplen > LDNS_MAX_DOMAINLEN-2)
-                       continue; /* too long to prepend wildcard */
+                       return 0; /* too long to prepend wildcard */
                buf[0] = 1;
                buf[1] = (uint8_t)'*';
                memmove(buf+2, strip, striplen);

diff --git a/validator/validator.c b/validator/validator.c
index 456bffd005f300978aba750b63cee59a0ab98dfb..925791dec6da2c9be7eed7a0c911fc81e876317a 100644 (file)
--- a/validator/validator.c
+++ b/validator/validator.c
@@ -944,6 +944,9 @@ validate_nameerror_response(struct module_env* env, struct val_env* ve,
        int nsec3s_seen = 0;
        struct ub_packed_rrset_key* s; 
        size_t i;
+       uint8_t* ce;
+       int ce_labs = 0;
+       int prev_ce_labs = 0;
 
        for(i=chase_reply->an_numrrsets; i<chase_reply->an_numrrsets+
                chase_reply->ns_numrrsets; i++) {
@@ -951,9 +954,19 @@ validate_nameerror_response(struct module_env* env, struct val_env* ve,
                if(ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC) {
                        if(val_nsec_proves_name_error(s, qchase->qname))
                                has_valid_nsec = 1;
-                       if(val_nsec_proves_no_wc(s, qchase->qname, 
-                               qchase->qname_len))
-                               has_valid_wnsec = 1;
+                       ce = nsec_closest_encloser(qchase->qname, s);            
+                       ce_labs = dname_count_labels(ce);                        
+                       /* Use longest closest encloser to prove wildcard. */
+                       if(ce_labs > prev_ce_labs ||                             
+                              (ce_labs == prev_ce_labs &&                      
+                                      has_valid_wnsec == 0)) {                 
+                              if(val_nsec_proves_no_wc(s, qchase->qname,       
+                                      qchase->qname_len))                      
+                                      has_valid_wnsec = 1;                     
+                              else                                             
+                                      has_valid_wnsec = 0;                     
+                       }                                                        
+                       prev_ce_labs = ce_labs; 
                        if(val_nsec_proves_insecuredelegation(s, qchase)) {
                                verbose(VERB_ALGO, "delegation is insecure");
                                chase_reply->security = sec_status_insecure;