From: Evan Hunt Date: Thu, 11 Jun 2026 00:58:31 +0000 (-0700) Subject: Unvalidated opt-out NSEC3 could be accepted in insecurity proof X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=1bd458d3ba2416465a90a9598e2bee1398120720;p=thirdparty%2Fbind9.git Unvalidated opt-out NSEC3 could be accepted in insecurity proof Ignore NSEC3 records that failed in the sub-validator when determining whether an insecure delegation is legitimate. Fixes: isc-projects/bind9#5970 --- diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 4d819a6ef7b..cba632f6e39 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -297,6 +297,10 @@ is_insecure_referral(dns_validator_t *val, dns_name_t *name, if (result != ISC_R_SUCCESS) { return false; } + if (set.trust < dns_trust_secure) { + dns_rdataset_cleanup(&set); + goto trynsec3; + } } INSIST(set.type == dns_rdatatype_nsec); @@ -326,6 +330,10 @@ trynsec3: dns_rdataset_disassociate(&set); continue; } + if (set.trust < dns_trust_secure) { + dns_rdataset_cleanup(&set); + continue; + } dns_name_getlabel(&nsec3name, 0, &hashlabel); isc_region_consume(&hashlabel, 1); isc_buffer_init(&buffer, owner, sizeof(owner)); @@ -910,6 +918,9 @@ validator_callback_nsec(void *arg) { val->authfail++; FALLTHROUGH; default: + if (val->nxset != NULL) { + val->nxset->attributes.ncache = false; + } result = validate_nx(val, true); break; }