DNS_RDATASET_FOREACH(&rdataset) {
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_current(&rdataset, &rdata);
- INSIST(rdata.length <= sizeof(buf));
- memmove(buf, rdata.data, rdata.length);
/*
- * Private NSEC3 record length >= 6.
- * <0(1), hash(1), flags(1), iterations(2), saltlen(1)>
+ * Filter out non-private records. Delete private records that
+ * were being used to creating NSEC3 chains and add private
+ * records to remove that chains that were in the process of
+ * being constructed. If nonsec is set and there is a record
+ * saying to go insecure preserve it.
+ *
+ * Private records have 6 <= length <= 261 (6 + saltlen) and
+ * the following structure:
+ *
+ * <0(1), hash(1), flags(1), iterations(2), saltlen(1),
+ * salt(0..255)>
*/
- if (rdata.length < 6 || buf[0] != 0 ||
- (buf[2] & DNS_NSEC3FLAG_REMOVE) != 0 ||
- (nonsec && (buf[2] & DNS_NSEC3FLAG_NONSEC) != 0))
+ if (rdata.length < 6 || rdata.data[0] != 0 ||
+ rdata.data[5] + 6 != rdata.length ||
+ (rdata.data[2] & DNS_NSEC3FLAG_REMOVE) != 0 ||
+ (nonsec && (rdata.data[2] & DNS_NSEC3FLAG_NONSEC) != 0))
{
continue;
}
+ INSIST(rdata.length <= sizeof(buf));
+ memmove(buf, rdata.data, rdata.length);
+
dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, origin, 0,
&rdata, &tuple);
CHECK(do_one_tuple(&tuple, db, ver, diff));