2743. [bug] RRSIG could be incorrectly sent in the NSEC3 record

                        for a insecure delegation.

diff --git a/CHANGES b/CHANGES
index 24836c273ae0d281f2e0c342779428afa2a7e7af..8da571c7a349200faa2603d391153e7f7a67045e 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2743.  [bug]           RRSIG could be incorrectly sent in the NSEC3 record
+                       for a insecure delegation.
+
        --- 9.7.0b2 released ---
 
 2742.  [cleanup]       Clarify some DNSSEC-related log messages in

diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
index 81de97f4f4fbf043a74fda47e9cb331c6bd4f21e..4c44194bc4c813262c0706914c86f419ee0ead20 100644 (file)
--- a/lib/dns/nsec3.c
+++ b/lib/dns/nsec3.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsec3.c,v 1.10 2009/10/08 23:48:10 tbox Exp $ */
+/* $Id: nsec3.c,v 1.11 2009/11/03 01:07:48 marka Exp $ */
 
 #include <config.h>
 
@@ -88,6 +88,8 @@ dns_nsec3_buildrdata(dns_db_t *db, dns_dbversion_t *version,
        unsigned int i, window;
        int octet;
        isc_boolean_t found;
+       isc_boolean_t found_ns;
+       isc_boolean_t need_rrsig;
 
        unsigned char *nsec_bits, *bm;
        unsigned int max_type;
@@ -141,7 +143,7 @@ dns_nsec3_buildrdata(dns_db_t *db, dns_dbversion_t *version,
        result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
        if (result != ISC_R_SUCCESS)
                return (result);
-       found = ISC_FALSE;
+       found = found_ns = need_rrsig = ISC_FALSE;
        for (result = dns_rdatasetiter_first(rdsiter);
             result == ISC_R_SUCCESS;
             result = dns_rdatasetiter_next(rdsiter))
@@ -153,13 +155,26 @@ dns_nsec3_buildrdata(dns_db_t *db, dns_dbversion_t *version,
                        if (rdataset.type > max_type)
                                max_type = rdataset.type;
                        set_bit(bm, rdataset.type, 1);
-                       /* Don't set RRSIG for insecure delegation. */
-                       if (rdataset.type != dns_rdatatype_ns)
+                       /* 
+                        * Work out if we need to set the RRSIG bit for
+                        * this node.  We set the RRSIG bit if either of
+                        * the following conditions are met:
+                        * 1) We have a SOA or DS then we need to set
+                        *    the RRSIG bit as both always will be signed.
+                        * 2) We set the RRSIG bit if we don't have
+                        *    a NS record but do have other data.
+                        */
+                       if (rdataset.type == dns_rdatatype_soa ||
+                           rdataset.type == dns_rdatatype_ds)
+                               need_rrsig = ISC_TRUE;
+                       else if (rdataset.type == dns_rdatatype_ns)
+                               found_ns = ISC_TRUE;
+                       else 
                                found = ISC_TRUE;
                }
                dns_rdataset_disassociate(&rdataset);
        }
-       if (found) {
+       if ((found && !found_ns) || need_rrsig) {
                if (dns_rdatatype_rrsig > max_type)
                        max_type = dns_rdatatype_rrsig;
                set_bit(bm, dns_rdatatype_rrsig, 1);