Permalink
Browse files

Better determination what needs to have NSEC3 (still buggy).

  • Loading branch information...
1 parent db60096 commit b18db5d97c3a4e6abef19890e90b29f637eb0af8 @tobez committed May 11, 2011
Showing with 35 additions and 33 deletions.
  1. +1 −1 main.c
  2. +33 −31 nsec3checks.c
  3. +1 −1 rr.c
View
2 main.c
@@ -329,9 +329,9 @@ main(int argc, char **argv)
gettimeofday(&start, NULL);
open_zone_file(argv[0]);
read_zone_file();
+ validate_zone();
if (G.nsec3_present)
calculate_hashed_names();
- validate_zone();
gettimeofday(&stop, NULL);
if (G.opt.summary) {
printf("records found: %d\n", G.stats.rr_count);
View
@@ -72,43 +72,45 @@ extern void calculate_hashed_names(void)
{
unsigned char sorted_name[512];
struct named_rr **named_rr_p;
+ struct named_rr *named_rr;
void *x = name2hash;
x = name2hash;
+ uint32_t mask;
sorted_hashed_names_count = 0;
+ mask = NAME_FLAG_NOT_AUTHORITATIVE|NAME_FLAG_NSEC3_ONLY;
if (G.nsec3_opt_out_present) {
- uint32_t rrs;
+ mask |= NAME_FLAG_DELEGATION;
+ }
+
+ sorted_name[0] = 0;
+ JSLF(named_rr_p, zone_data, sorted_name);
+ while (named_rr_p) {
+ named_rr = *named_rr_p;
+ if ((named_rr->flags & mask) == 0) {
+/* debug
+struct binary_data hash;
+int i;
+Word_t rdtype;
+struct rr_set **rr_set_p;
+
+hash = name2hash(named_rr->name, nsec3param);
+for (i = 0; i < hash.length; i++) {
+ fprintf(stderr, "%02x", (unsigned char)hash.data[i]);
+}
+
+rdtype = 0;
+JLF(rr_set_p, named_rr->rr_sets, rdtype);
+while (rr_set_p) {
+ fprintf(stderr, " %s", rdtype2str(rdtype));
+ JLN(rr_set_p, named_rr->rr_sets, rdtype);
+}
-/* Yuck! Delegated ns.xyz -> A records are also not covered by NSEC3! */
- sorted_name[0] = 0;
- JSLF(named_rr_p, zone_data, sorted_name);
- while (named_rr_p) {
- if ((*named_rr_p)->rr_sets) {
- rrs = get_rr_set_count(*named_rr_p);
- if (rrs == 1) {
- /* could be opt-out NS delegation, or unsigned NSEC3 (the possibility of which we ignore) */
- if (!find_rr_set_in_named_rr(*named_rr_p, T_NS)) {
-//fprintf(stderr, "1: %s\n", (*named_rr_p)->name);
- sorted_hashed_names_count++;
- }
- } else if (rrs == 2) {
- /* could be signed NSEC3 */
- if (!find_rr_set_in_named_rr(*named_rr_p, T_NSEC3)) {
-//fprintf(stderr, "2: %s\n", (*named_rr_p)->name);
- sorted_hashed_names_count++;
- }
- } else {
-//fprintf(stderr, "%d: %s\n", rrs, (*named_rr_p)->name);
- sorted_hashed_names_count++;
- }
- } else {
- /* must be empty non-terminal */
- sorted_hashed_names_count++;
- }
- JSLN(named_rr_p, zone_data, sorted_name);
+fprintf(stderr, " %s\n", named_rr->name);
+*/
+ sorted_hashed_names_count++;
}
-//fprintf(stderr, "found sorted_hashed_names_count: %d\n", sorted_hashed_names_count);
- } else {
- sorted_hashed_names_count = G.stats.names_count;
+ JSLN(named_rr_p, zone_data, sorted_name);
}
+/* fprintf(stderr, "found sorted_hashed_names_count: %d\n", sorted_hashed_names_count); */
}
View
2 rr.c
@@ -471,7 +471,7 @@ void validate_named_rr(struct named_rr *named_rr)
int nsec3_present = 0;
int nsec3_only = 1;
- if (named_rr->parent && (named_rr->parent->flags & NAME_FLAG_DELEGATION) != 0) {
+ if (named_rr->parent && (named_rr->parent->flags & (NAME_FLAG_DELEGATION|NAME_FLAG_NOT_AUTHORITATIVE)) != 0) {
named_rr->flags |= NAME_FLAG_NOT_AUTHORITATIVE;
if ((named_rr->flags & NAME_FLAG_HAS_RECORDS) != 0) {
G.stats.not_authoritative++;

0 comments on commit b18db5d

Please sign in to comment.