Allow "black lies" to be cached

"black lies" differ from "white lies" in that the owner name of the
NSEC record matches the QNAME and the intent is to return NODATA
instead of NXDOMAIN for all types.  Caching this NSEC does not lead
to unexpected behaviour on synthesis when the QNAME matches the
NSEC owner which it does for the the general "white lie" response.

"black lie" QNAME NSEC \000.QNAME NSEC RRSIG

"white lie" QNAME- NSEC QNAME+ NSEC RRSIG

where QNAME- is a name that is close to QNAME but sorts before QNAME
and QNAME+ is a that is close to QNAME but sorts after QNAME.

Black lies are safe to cache as they don't bring into existence
names that are not intended to exist.  "Black lies" intentional change
NXDOMAIN to NODATA. "White lies" bring QNAME- into existence and named
would synthesis NODATA for QNAME+ if it is queried for that name
instead of discovering the, presumable, NXDOMAIN response.

Note rejection NSEC RRsets with NEXT names starting with the label
'\000' renders this change ineffective (see reject-000-label).

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 04d57b7c3a584200115ecdb8af4bad48f8ff505f..6c6c67d5aaee1c983ed3e1f10c422cb169c7130a 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -5571,8 +5571,15 @@ answer_response:
                            sigrdataset->trust != dns_trust_secure) {
                                continue;
                        }
+
+                       /*
+                        * Don't cache "white lies" but do cache
+                        * "black lies".
+                        */
                        if (rdataset->type == dns_rdatatype_nsec &&
-                           is_minimal_nsec(rdataset)) {
+                           !dns_name_equal(fctx->name, name) &&
+                           is_minimal_nsec(rdataset))
+                       {
                                continue;
                        }
                        result = dns_db_findnode(fctx->cache, name, true,