Better determination what needs to have NSEC3 (still buggy).

tobez · May 11, 2011 · b18db5d · b18db5d
1 parent db60096
commit b18db5d
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 33 deletions.
diff --git a/main.c b/main.c
@@ -329,9 +329,9 @@ main(int argc, char **argv)
 	gettimeofday(&start, NULL);
 	open_zone_file(argv[0]);
 	read_zone_file();
+	validate_zone();
 	if (G.nsec3_present)
 		calculate_hashed_names();
-	validate_zone();
 	gettimeofday(&stop, NULL);
 	if (G.opt.summary) {
 		printf("records found:       %d\n", G.stats.rr_count);

diff --git a/nsec3checks.c b/nsec3checks.c
@@ -72,43 +72,45 @@ extern void calculate_hashed_names(void)
 {
 	unsigned char sorted_name[512];
 	struct named_rr **named_rr_p;
+	struct named_rr *named_rr;
 	void *x = name2hash;
 	x = name2hash;
+	uint32_t mask;
 
 	sorted_hashed_names_count = 0;
+	mask = NAME_FLAG_NOT_AUTHORITATIVE|NAME_FLAG_NSEC3_ONLY;
 	if (G.nsec3_opt_out_present) {
-		uint32_t rrs;
+		mask |= NAME_FLAG_DELEGATION;
+	}
+
+	sorted_name[0] = 0;
+	JSLF(named_rr_p, zone_data, sorted_name);
+	while (named_rr_p) {
+		named_rr = *named_rr_p;
+		if ((named_rr->flags & mask) == 0) {
+/* debug
+struct binary_data hash;
+int i;
+Word_t rdtype;
+struct rr_set **rr_set_p;
+
+hash = name2hash(named_rr->name, nsec3param);
+for (i = 0; i < hash.length; i++) {
+	fprintf(stderr, "%02x", (unsigned char)hash.data[i]);
+}
+
+rdtype = 0;
+JLF(rr_set_p, named_rr->rr_sets, rdtype);
+while (rr_set_p) {
+	fprintf(stderr, " %s", rdtype2str(rdtype));
+	JLN(rr_set_p, named_rr->rr_sets, rdtype);
+}
 
-/* Yuck!  Delegated ns.xyz -> A records are also not covered by NSEC3! */
-		sorted_name[0] = 0;
-		JSLF(named_rr_p, zone_data, sorted_name);
-		while (named_rr_p) {
-			if ((*named_rr_p)->rr_sets) {
-				rrs = get_rr_set_count(*named_rr_p);
-				if (rrs == 1) {
-					/* could be opt-out NS delegation, or unsigned NSEC3 (the possibility of which we ignore) */
-					if (!find_rr_set_in_named_rr(*named_rr_p, T_NS)) {
-//fprintf(stderr, "1: %s\n", (*named_rr_p)->name);
-						sorted_hashed_names_count++;
-					}
-				} else if (rrs == 2) {
-					/* could be signed NSEC3 */
-					if (!find_rr_set_in_named_rr(*named_rr_p, T_NSEC3)) {
-//fprintf(stderr, "2: %s\n", (*named_rr_p)->name);
-						sorted_hashed_names_count++;
-					}
-				} else {
-//fprintf(stderr, "%d: %s\n", rrs, (*named_rr_p)->name);
-					sorted_hashed_names_count++;
-				}
-			} else {
-				/* must be empty non-terminal */
-				sorted_hashed_names_count++;
-			}
-			JSLN(named_rr_p, zone_data, sorted_name);
+fprintf(stderr, " %s\n", named_rr->name);
+*/
+			sorted_hashed_names_count++;
 		}
-//fprintf(stderr, "found sorted_hashed_names_count: %d\n", sorted_hashed_names_count);
-	} else {
-		sorted_hashed_names_count = G.stats.names_count;
+		JSLN(named_rr_p, zone_data, sorted_name);
 	}
+/* fprintf(stderr, "found sorted_hashed_names_count: %d\n", sorted_hashed_names_count); */
 }
diff --git a/rr.c b/rr.c
@@ -471,7 +471,7 @@ void validate_named_rr(struct named_rr *named_rr)
 	int nsec3_present = 0;
 	int nsec3_only = 1;
 
-	if (named_rr->parent && (named_rr->parent->flags & NAME_FLAG_DELEGATION) != 0) {
+	if (named_rr->parent && (named_rr->parent->flags & (NAME_FLAG_DELEGATION|NAME_FLAG_NOT_AUTHORITATIVE)) != 0) {
 		named_rr->flags |= NAME_FLAG_NOT_AUTHORITATIVE;
 		if ((named_rr->flags & NAME_FLAG_HAS_RECORDS) != 0) {
 			G.stats.not_authoritative++;