Permalink
Browse files

fix NSEC wildcard denial

  • Loading branch information...
1 parent c9a3dd7 commit f75293febb76251b3b86c4037d77057f9df912ef @mind04 mind04 committed with mind04 Nov 21, 2013
View
@@ -426,7 +426,7 @@ void PacketHandler::emitNSEC(const std::string& begin, const std::string& end, c
NSECRecordContent nrc;
nrc.d_set.insert(QType::RRSIG);
nrc.d_set.insert(QType::NSEC);
- if(sd.qname == begin)
+ if(pdns_iequals(sd.qname, begin))
nrc.d_set.insert(QType::DNSKEY);
DNSResourceRecord rr;
@@ -669,20 +669,17 @@ void PacketHandler::addNSEC(DNSPacket *p, DNSPacket *r, const string& target, co
sd.db->getBeforeAndAfterNames(sd.domain_id, auth, target, before, after);
emitNSEC(before, after, target, sd, r, mode);
- if (mode == 2) {
- // wildcard NO-DATA
+ if (mode == 2 || mode == 4) {
+ // wildcard NO-DATA or wildcard denial
before.clear();
- sd.db->getBeforeAndAfterNames(sd.domain_id, auth, wildcard, before, after);
+ string closest(wildcard);
+ if (mode == 4) {
+ (void) chopOff(closest);
+ closest=dotConcat("*", closest);
+ }
+ sd.db->getBeforeAndAfterNames(sd.domain_id, auth, closest, before, after);
emitNSEC(before, after, target, sd, r, mode);
}
-
- if (mode == 4) {
- // this one does wildcard denial, if applicable
- before='.';
- sd.db->getBeforeAndAfterNames(sd.domain_id, auth, auth, before, after);
- emitNSEC(auth, after, auth, sd, r, mode);
- }
-
return;
}
@@ -5,4 +5,4 @@ a2dd754820cb88fdd3d80b54a212a270 ../regression-tests/test.com
42dd3a56c7d268e75836371878819ec4 ../regression-tests/delegated.dnssec-parent.com
a63dc120391d9df0003f2ec4f461a6af ../regression-tests/secure-delegated.dnssec-parent.com
24514dc104b22206daeb973ff9303545 ../regression-tests/minimal.com
-b62dc3974faf53b7f5ffbaa70788fcfe ../modules/tinydnsbackend/data.cdb
+a7eda9fdfd9a73961338ad661526c39c ../modules/tinydnsbackend/data.cdb
@@ -1,5 +1,3 @@
-1 example.com. IN NSEC 86400 double.example.com. NS SOA MX RRSIG NSEC DNSKEY
-1 example.com. IN RRSIG 86400 NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ...
1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
1 outpost.example.com. IN NSEC 86400 semi-external.example.com. A RRSIG NSEC
@@ -1,5 +1,3 @@
-1 example.com. IN NSEC 86400 double.example.com. NS SOA MX RRSIG NSEC DNSKEY
-1 example.com. IN RRSIG 86400 NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ...
1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
1 outpost.example.com. IN NSEC 86400 semi-external.example.com. A RRSIG NSEC

0 comments on commit f75293f

Please sign in to comment.