From 56011cc3d8a72e71c589d53764bc0ae93c961ab2 Mon Sep 17 00:00:00 2001 From: Remi Gacogne Date: Tue, 22 Dec 2020 18:12:38 +0100 Subject: [PATCH] rec: Fix DNSSEC validation, exact ancestor NSEC is usable for the DS --- pdns/validate.cc | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/pdns/validate.cc b/pdns/validate.cc index 8794798281..af3621148e 100644 --- a/pdns/validate.cc +++ b/pdns/validate.cc @@ -390,9 +390,11 @@ dState matchesNSEC(const DNSName& name, uint16_t qtype, const DNSName& nsecOwner that (original) owner name other than DS RRs, and all RRs below that owner name regardless of type. */ - if (qtype != QType::DS && (name == owner || name.isPartOf(owner)) && isNSECAncestorDelegation(signer, owner, nsec)) { + if (name.isPartOf(owner) && isNSECAncestorDelegation(signer, owner, nsec)) { /* this is an "ancestor delegation" NSEC RR */ - return dState::NODENIAL; + if (!(qtype == QType::DS && name == owner)) { + return dState::NODENIAL; + } } /* check if the type is denied */ @@ -463,11 +465,13 @@ dState getDenial(const cspmap_t &validrrsets, const DNSName& qname, const uint16 that (original) owner name other than DS RRs, and all RRs below that owner name regardless of type. */ - if (qtype != QType::DS && (qname == owner || qname.isPartOf(owner)) && isNSECAncestorDelegation(signer, owner, nsec)) { - LOG("type is "<isSet(QType::NS))<<", SOA is "<isSet(QType::SOA))<<", signer is "<isSet(QType::NS))<<", SOA is "<isSet(QType::SOA))<<", signer is "<