Fix NSEC3 handling when OptOut is not set.

This closes #21.
tobez · Aug 14, 2012 · 654dba8 · 654dba8
1 parent 0920598
commit 654dba8
Show file tree

Hide file tree

Showing 3 changed files with 65 additions and 11 deletions.
diff --git a/nsec3checks.c b/nsec3checks.c
@@ -91,6 +91,7 @@ void perform_remaining_nsec3checks(void)
 	while (named_rr_p) {
 		named_rr = *named_rr_p;
 		if ((named_rr->flags & mask) == NAME_FLAG_KIDS_WITH_RECORDS) {
+//fprintf(stderr, "--- need nsec3, kids with records: %s\n", named_rr->name);
 needs_nsec3:
 			freeall_temp();
 			hash = name2hash(named_rr->name, nsec3param);
@@ -119,10 +120,24 @@ void perform_remaining_nsec3checks(void)
 					(NAME_FLAG_NOT_AUTHORITATIVE|NAME_FLAG_SIGNED_DELEGATION)) ==
 				   NAME_FLAG_SIGNED_DELEGATION)
 		{
+//fprintf(stderr, "--- need nsec3, signed delegation: %s\n", named_rr->name);
 			goto needs_nsec3;
-		} else if (!G.nsec3_opt_out_present && (named_rr->flags & NAME_FLAG_DELEGATION))
+		} else if (!G.nsec3_opt_out_present && (named_rr->flags &
+					(NAME_FLAG_APEX_PARENT|NAME_FLAG_NOT_AUTHORITATIVE|NAME_FLAG_DELEGATION|NAME_FLAG_HAS_RECORDS)) ==
+				   0)
 		{
+//fprintf(stderr, "--- need nsec3, empty non-term: %s\n", named_rr->name);
 			goto needs_nsec3;
+		} else if (!G.nsec3_opt_out_present && (named_rr->flags & (NAME_FLAG_DELEGATION|NAME_FLAG_NOT_AUTHORITATIVE))==NAME_FLAG_DELEGATION)
+		{
+//fprintf(stderr, "--- need nsec3, no opt-out: %s\n", named_rr->name);
+			goto needs_nsec3;
+		} else if (!G.nsec3_opt_out_present && (named_rr->flags & (NAME_FLAG_THIS_WITH_RECORDS)))
+		{
+//fprintf(stderr, "--- need nsec3, this with records: %s\n", named_rr->name);
+			goto needs_nsec3;
+		} else {
+//fprintf(stderr, "--- NO need for nsec3: %s\n", named_rr->name);
 		}
 next:
 		JSLN(named_rr_p, zone_data, sorted_name);

diff --git a/rr.c b/rr.c
@@ -577,37 +577,74 @@ void validate_rrset(struct rr_set *rr_set)
 	}
 }
 
+void debug(struct named_rr *named_rr, char *s)
+{
+	fprintf(stderr, "%s %s", s, named_rr->name);
+	if ((named_rr->flags & NAME_FLAG_APEX))
+		fprintf(stderr, ", apex");
+	if ((named_rr->flags & NAME_FLAG_HAS_RECORDS))
+		fprintf(stderr, ", has records");
+	if ((named_rr->flags & NAME_FLAG_DELEGATION))
+		fprintf(stderr, ", delegation");
+	if ((named_rr->flags & NAME_FLAG_NOT_AUTHORITATIVE))
+		fprintf(stderr, ", not auth");
+	if ((named_rr->flags & NAME_FLAG_NSEC3_ONLY))
+		fprintf(stderr, ", nsec3 only");
+	if ((named_rr->flags & NAME_FLAG_KIDS_WITH_RECORDS))
+		fprintf(stderr, ", kid records");
+	if ((named_rr->flags & NAME_FLAG_SIGNED_DELEGATION))
+		fprintf(stderr, ", signed delegation");
+	if ((named_rr->flags & NAME_FLAG_APEX_PARENT))
+		fprintf(stderr, ", apex parent");
+	fprintf(stderr, "\n");
+}
+
 void validate_named_rr(struct named_rr *named_rr)
 {
 	Word_t rdtype;
 	struct rr_set **rr_set_p;
 	int nsec3_present = 0;
 	int nsec3_only = 1;
+	static int seen_apex = 0;
+
+	rdtype = 0;
+	JLF(rr_set_p, named_rr->rr_sets, rdtype);
+
+	if ((named_rr->flags & NAME_FLAG_APEX))
+		seen_apex = 1;
+	if (!seen_apex)
+		named_rr->flags |= NAME_FLAG_APEX_PARENT;
 
 	if (named_rr->parent && (named_rr->parent->flags & (NAME_FLAG_DELEGATION|NAME_FLAG_NOT_AUTHORITATIVE)) != 0) {
 		named_rr->flags |= NAME_FLAG_NOT_AUTHORITATIVE;
 		if ((named_rr->flags & NAME_FLAG_HAS_RECORDS) != 0) {
 			G.stats.not_authoritative++;
 		}
 	}
-	rdtype = 0;
-	JLF(rr_set_p, named_rr->rr_sets, rdtype);
+//debug(named_rr, ">>>>");
+
 	while (rr_set_p) {
 		validate_rrset(*rr_set_p);
 		if (rdtype == T_NSEC3)
 			nsec3_present = 1;
 		else if (rdtype != T_RRSIG)
 			nsec3_only = 0;
+		if (rdtype != T_NSEC3 && rdtype != T_RRSIG && rdtype != T_NS)
+			named_rr->flags |= NAME_FLAG_THIS_WITH_RECORDS;
 		if ((named_rr->flags & NAME_FLAG_NOT_AUTHORITATIVE) == 0 &&
 			rdtype != T_NS && rdtype != T_NSEC3 && rdtype != T_RRSIG)
 		{
 			struct named_rr *nrr = named_rr;
+			int skip_first = rdtype == T_NS;
+
 			while (nrr && (nrr->flags & NAME_FLAG_KIDS_WITH_RECORDS) == 0) {
 				if ((nrr->flags & NAME_FLAG_APEX_PARENT) || strlen(nrr->name) < zone_apex_l) {
 					nrr->flags |= NAME_FLAG_APEX_PARENT;
 					break;
 				}
-				nrr->flags |= NAME_FLAG_KIDS_WITH_RECORDS;
+				if (!skip_first)
+					nrr->flags |= NAME_FLAG_KIDS_WITH_RECORDS;
+				skip_first = 0;
 				nrr = nrr->parent;
 			}
 		}
@@ -624,6 +661,7 @@ void validate_named_rr(struct named_rr *named_rr)
 	if (nsec3_present && nsec3_only) {
 		named_rr->flags |= NAME_FLAG_NSEC3_ONLY;
 	}
+//debug(named_rr, "<<<<");
 }
 
 

diff --git a/rr.h b/rr.h
@@ -101,14 +101,15 @@ struct binary_data name2wire_name(char *s);
 int algorithm_type(int alg);
 int extract_algorithm(char **s, char *what);
 
-#define NAME_FLAG_APEX                1
-#define NAME_FLAG_HAS_RECORDS         2
-#define NAME_FLAG_DELEGATION          4
-#define NAME_FLAG_NOT_AUTHORITATIVE   8
-#define NAME_FLAG_NSEC3_ONLY          16
-#define NAME_FLAG_KIDS_WITH_RECORDS   32
-#define NAME_FLAG_SIGNED_DELEGATION   64
+#define NAME_FLAG_APEX                  1
+#define NAME_FLAG_HAS_RECORDS           2
+#define NAME_FLAG_DELEGATION            4
+#define NAME_FLAG_NOT_AUTHORITATIVE     8
+#define NAME_FLAG_NSEC3_ONLY           16
+#define NAME_FLAG_KIDS_WITH_RECORDS    32
+#define NAME_FLAG_SIGNED_DELEGATION    64
 #define NAME_FLAG_APEX_PARENT         128
+#define NAME_FLAG_THIS_WITH_RECORDS   256
 
 struct named_rr
 {