Permalink
Browse files

NSEC3 optout and Bogus insecure forward fixes

After the change to zonecuts to find key material, the NSEC3 checking
returned an (incorrect) 'covering nxdomain' for a forwarded subzone with
no DS record in its parent. After fixing this, the NSEC3 optout test
failed as Bogus (instead of insecure). This was fixed by actually
checking the optout flag on a delegation NSEC3 record.
  • Loading branch information...
1 parent 6bad939 commit 46a66669600ef1d52b866b17f2deeb1c354302e7 @pieterlexis pieterlexis committed Oct 21, 2016
Showing with 10 additions and 5 deletions.
  1. +9 −4 pdns/validate.cc
  2. +1 −1 pdns/validate.hh
View
@@ -12,7 +12,7 @@ void dotNode(string type, DNSName name, string tag, string content);
string dotName(string type, DNSName name, string tag);
string dotEscape(string name);
-const char *dStates[]={"nodata", "nxdomain", "nxqtype", "empty non-terminal", "insecure"};
+const char *dStates[]={"nodata", "nxdomain", "nxqtype", "empty non-terminal", "insecure", "opt-out"};
const char *vStates[]={"Indeterminate", "Bogus", "Insecure", "Secure", "NTA"};
typedef set<DNSKEYRecordContent> keyset_t;
@@ -83,7 +83,12 @@ static dState getDenial(const cspmap_t &validrrsets, const DNSName& qname, const
(nsec3->d_nexthash < beginHash && beginHash < h) || // wrap other case END --- BEGINNING --- HASH
beginHash == nsec3->d_nexthash)) // "we have only 1 NSEC3 record, LOL!"
{
- LOG("Denies existence of name "<<qname<<"/"<<QType(qtype).getName()<<"(could be opt-out)!"<<endl);
+ LOG("Denies existence of name "<<qname<<"/"<<QType(qtype).getName());
+ if (qtype == QType::DS && nsec3->d_flags & 1) {
+ LOG(" but is opt-out!"<<endl);
+ return OPTOUT;
+ }
+ LOG(endl);
return NXDOMAIN;
}
@@ -430,9 +435,9 @@ vState getKeysFor(DNSRecordOracle& dro, const DNSName& zone, keyset_t &keyset)
if(r.first == r.second) {
LOG("No DS for "<<*(zoneCutIter+1)<<", now look for a secure denial"<<endl);
dState res = getDenial(validrrsets, *(zoneCutIter+1), QType::DS);
- if (res == INSECURE)
+ if (res == INSECURE || res == NXDOMAIN)
return Bogus;
- if (res == NXDOMAIN || res == NXQTYPE)
+ if (res == NXQTYPE || res == OPTOUT)
return Insecure;
}
View
@@ -34,7 +34,7 @@ enum vState { Indeterminate, Bogus, Insecure, Secure, NTA };
extern const char *vStates[];
// NSEC(3) results
-enum dState { NODATA, NXDOMAIN, NXQTYPE, ENT, INSECURE };
+enum dState { NODATA, NXDOMAIN, NXQTYPE, ENT, INSECURE, OPTOUT};
extern const char *dStates[];
class DNSRecordOracle

0 comments on commit 46a6666

Please sign in to comment.