Permalink
Browse files

Fix NSEC3 handling when OptOut is not set.

This closes #21.
  • Loading branch information...
1 parent 0920598 commit 654dba82d4b72bc3b8f9326f42d7dd901875233f @tobez committed Aug 14, 2012
Showing with 65 additions and 11 deletions.
  1. +16 −1 nsec3checks.c
  2. +41 −3 rr.c
  3. +8 −7 rr.h
View
@@ -91,6 +91,7 @@ void perform_remaining_nsec3checks(void)
while (named_rr_p) {
named_rr = *named_rr_p;
if ((named_rr->flags & mask) == NAME_FLAG_KIDS_WITH_RECORDS) {
+//fprintf(stderr, "--- need nsec3, kids with records: %s\n", named_rr->name);
needs_nsec3:
freeall_temp();
hash = name2hash(named_rr->name, nsec3param);
@@ -119,10 +120,24 @@ void perform_remaining_nsec3checks(void)
(NAME_FLAG_NOT_AUTHORITATIVE|NAME_FLAG_SIGNED_DELEGATION)) ==
NAME_FLAG_SIGNED_DELEGATION)
{
+//fprintf(stderr, "--- need nsec3, signed delegation: %s\n", named_rr->name);
goto needs_nsec3;
- } else if (!G.nsec3_opt_out_present && (named_rr->flags & NAME_FLAG_DELEGATION))
+ } else if (!G.nsec3_opt_out_present && (named_rr->flags &
+ (NAME_FLAG_APEX_PARENT|NAME_FLAG_NOT_AUTHORITATIVE|NAME_FLAG_DELEGATION|NAME_FLAG_HAS_RECORDS)) ==
+ 0)
{
+//fprintf(stderr, "--- need nsec3, empty non-term: %s\n", named_rr->name);
goto needs_nsec3;
+ } else if (!G.nsec3_opt_out_present && (named_rr->flags & (NAME_FLAG_DELEGATION|NAME_FLAG_NOT_AUTHORITATIVE))==NAME_FLAG_DELEGATION)
+ {
+//fprintf(stderr, "--- need nsec3, no opt-out: %s\n", named_rr->name);
+ goto needs_nsec3;
+ } else if (!G.nsec3_opt_out_present && (named_rr->flags & (NAME_FLAG_THIS_WITH_RECORDS)))
+ {
+//fprintf(stderr, "--- need nsec3, this with records: %s\n", named_rr->name);
+ goto needs_nsec3;
+ } else {
+//fprintf(stderr, "--- NO need for nsec3: %s\n", named_rr->name);
}
next:
JSLN(named_rr_p, zone_data, sorted_name);
View
44 rr.c
@@ -577,37 +577,74 @@ void validate_rrset(struct rr_set *rr_set)
}
}
+void debug(struct named_rr *named_rr, char *s)
+{
+ fprintf(stderr, "%s %s", s, named_rr->name);
+ if ((named_rr->flags & NAME_FLAG_APEX))
+ fprintf(stderr, ", apex");
+ if ((named_rr->flags & NAME_FLAG_HAS_RECORDS))
+ fprintf(stderr, ", has records");
+ if ((named_rr->flags & NAME_FLAG_DELEGATION))
+ fprintf(stderr, ", delegation");
+ if ((named_rr->flags & NAME_FLAG_NOT_AUTHORITATIVE))
+ fprintf(stderr, ", not auth");
+ if ((named_rr->flags & NAME_FLAG_NSEC3_ONLY))
+ fprintf(stderr, ", nsec3 only");
+ if ((named_rr->flags & NAME_FLAG_KIDS_WITH_RECORDS))
+ fprintf(stderr, ", kid records");
+ if ((named_rr->flags & NAME_FLAG_SIGNED_DELEGATION))
+ fprintf(stderr, ", signed delegation");
+ if ((named_rr->flags & NAME_FLAG_APEX_PARENT))
+ fprintf(stderr, ", apex parent");
+ fprintf(stderr, "\n");
+}
+
void validate_named_rr(struct named_rr *named_rr)
{
Word_t rdtype;
struct rr_set **rr_set_p;
int nsec3_present = 0;
int nsec3_only = 1;
+ static int seen_apex = 0;
+
+ rdtype = 0;
+ JLF(rr_set_p, named_rr->rr_sets, rdtype);
+
+ if ((named_rr->flags & NAME_FLAG_APEX))
+ seen_apex = 1;
+ if (!seen_apex)
+ named_rr->flags |= NAME_FLAG_APEX_PARENT;
if (named_rr->parent && (named_rr->parent->flags & (NAME_FLAG_DELEGATION|NAME_FLAG_NOT_AUTHORITATIVE)) != 0) {
named_rr->flags |= NAME_FLAG_NOT_AUTHORITATIVE;
if ((named_rr->flags & NAME_FLAG_HAS_RECORDS) != 0) {
G.stats.not_authoritative++;
}
}
- rdtype = 0;
- JLF(rr_set_p, named_rr->rr_sets, rdtype);
+//debug(named_rr, ">>>>");
+
while (rr_set_p) {
validate_rrset(*rr_set_p);
if (rdtype == T_NSEC3)
nsec3_present = 1;
else if (rdtype != T_RRSIG)
nsec3_only = 0;
+ if (rdtype != T_NSEC3 && rdtype != T_RRSIG && rdtype != T_NS)
+ named_rr->flags |= NAME_FLAG_THIS_WITH_RECORDS;
if ((named_rr->flags & NAME_FLAG_NOT_AUTHORITATIVE) == 0 &&
rdtype != T_NS && rdtype != T_NSEC3 && rdtype != T_RRSIG)
{
struct named_rr *nrr = named_rr;
+ int skip_first = rdtype == T_NS;
+
while (nrr && (nrr->flags & NAME_FLAG_KIDS_WITH_RECORDS) == 0) {
if ((nrr->flags & NAME_FLAG_APEX_PARENT) || strlen(nrr->name) < zone_apex_l) {
nrr->flags |= NAME_FLAG_APEX_PARENT;
break;
}
- nrr->flags |= NAME_FLAG_KIDS_WITH_RECORDS;
+ if (!skip_first)
+ nrr->flags |= NAME_FLAG_KIDS_WITH_RECORDS;
+ skip_first = 0;
nrr = nrr->parent;
}
}
@@ -624,6 +661,7 @@ void validate_named_rr(struct named_rr *named_rr)
if (nsec3_present && nsec3_only) {
named_rr->flags |= NAME_FLAG_NSEC3_ONLY;
}
+//debug(named_rr, "<<<<");
}
View
15 rr.h
@@ -101,14 +101,15 @@ struct binary_data name2wire_name(char *s);
int algorithm_type(int alg);
int extract_algorithm(char **s, char *what);
-#define NAME_FLAG_APEX 1
-#define NAME_FLAG_HAS_RECORDS 2
-#define NAME_FLAG_DELEGATION 4
-#define NAME_FLAG_NOT_AUTHORITATIVE 8
-#define NAME_FLAG_NSEC3_ONLY 16
-#define NAME_FLAG_KIDS_WITH_RECORDS 32
-#define NAME_FLAG_SIGNED_DELEGATION 64
+#define NAME_FLAG_APEX 1
+#define NAME_FLAG_HAS_RECORDS 2
+#define NAME_FLAG_DELEGATION 4
+#define NAME_FLAG_NOT_AUTHORITATIVE 8
+#define NAME_FLAG_NSEC3_ONLY 16
+#define NAME_FLAG_KIDS_WITH_RECORDS 32
+#define NAME_FLAG_SIGNED_DELEGATION 64
#define NAME_FLAG_APEX_PARENT 128
+#define NAME_FLAG_THIS_WITH_RECORDS 256
struct named_rr
{

0 comments on commit 654dba8

Please sign in to comment.