]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
Unvalidated opt-out NSEC3 could be accepted in insecurity proof
authorEvan Hunt <each@isc.org>
Thu, 11 Jun 2026 00:58:31 +0000 (17:58 -0700)
committerEvan Hunt <each@isc.org>
Fri, 3 Jul 2026 06:07:24 +0000 (23:07 -0700)
Ignore NSEC3 records that failed in the sub-validator when determining
whether an insecure delegation is legitimate.

Fixes: isc-projects/bind9#5970
lib/dns/validator.c

index 4d819a6ef7b9d9ac2c6086b1b3f8f92ca0cab507..cba632f6e39b97ff10d8f5cf7ad1ecca2aa88920 100644 (file)
@@ -297,6 +297,10 @@ is_insecure_referral(dns_validator_t *val, dns_name_t *name,
                if (result != ISC_R_SUCCESS) {
                        return false;
                }
+               if (set.trust < dns_trust_secure) {
+                       dns_rdataset_cleanup(&set);
+                       goto trynsec3;
+               }
        }
 
        INSIST(set.type == dns_rdatatype_nsec);
@@ -326,6 +330,10 @@ trynsec3:
                        dns_rdataset_disassociate(&set);
                        continue;
                }
+               if (set.trust < dns_trust_secure) {
+                       dns_rdataset_cleanup(&set);
+                       continue;
+               }
                dns_name_getlabel(&nsec3name, 0, &hashlabel);
                isc_region_consume(&hashlabel, 1);
                isc_buffer_init(&buffer, owner, sizeof(owner));
@@ -910,6 +918,9 @@ validator_callback_nsec(void *arg) {
                        val->authfail++;
                        FALLTHROUGH;
                default:
+                       if (val->nxset != NULL) {
+                               val->nxset->attributes.ncache = false;
+                       }
                        result = validate_nx(val, true);
                        break;
                }