Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
rec: Fix erroneous check for section 4.1 of rfc6840 #5670
The DNSSEC validation check for section 4.1 of rfc6840 was wrong, leading to a Bogus validation state when getting a denial from the root zone.
On 12 September 2017 12:51:57 CEST, Remi Gacogne ***@***.***> wrote: rgacogne commented on this pull request. > /* RFC 6840 section 4.1 "Clarifications on Nonexistence Proofs": Ancestor delegation NSEC or NSEC3 RRs MUST NOT be used to assume nonexistence of any RRs below that zone cut, which include all RRs at that (original) owner name other than DS RRs, and all RRs below that owner name regardless of type. */ - LOG("type is "<<QType(qtype).getName()<<", NS is "<<std::to_string(nsec->d_set.count(QType::NS))<<", SOA is "<<std::to_string(nsec->d_set.count(QType::SOA))<<", signer is "<<getSigner(v.second.signatures).toString()<<", owner name is "<<v.first.first.toString()<<endl); - if (qtype != QType::DS && nsec->d_set.count(QType::NS) && !nsec->d_set.count(QType::SOA) && + if (nsec->d_set.count(QType::NS) && !nsec->d_set.count(QType::SOA) && I think you are right, but since section 4.1  of rfc6840 explicitly lists that condition and the check is cheaper than the label count one, I'd rather keep it. : https://tools.ietf.org/html/rfc6840#section-4.1 -- You are receiving this because your review was requested. Reply to this email directly or view it on GitHub: #5670 (comment)
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.