Handle NSEC3 records that point to the apex
This commit is contained in:
parent
04b30732ac
commit
1171215fc9
|
@ -204,7 +204,9 @@ Check:
|
|||
fmt.Printf(";+ Correct denial of existence (NSEC3/NODATA)\n")
|
||||
default:
|
||||
// w == 0
|
||||
fmt.Printf(";- Incorrect denial of existence (NSEC3): %s\n",err.Error())
|
||||
if err != nil {
|
||||
fmt.Printf(";- Incorrect denial of existence (NSEC3): %s\n",err.Error())
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
14
nsec3.go
14
nsec3.go
|
@ -73,8 +73,18 @@ func (nsec3 *RR_NSEC3) Match(domain string) bool {
|
|||
func (nsec3 *RR_NSEC3) Cover(domain string) bool {
|
||||
hashdom := strings.ToUpper(HashName(domain, nsec3.Hash, nsec3.Iterations, nsec3.Salt))
|
||||
nextdom := strings.ToUpper(nsec3.NextDomain)
|
||||
owner := strings.ToUpper(SplitLabels(nsec3.Header().Name)[0])
|
||||
return hashdom > owner && hashdom <= nextdom
|
||||
owner := strings.ToUpper(SplitLabels(nsec3.Header().Name)[0]) // The hashed part
|
||||
apex := strings.ToUpper(HashName(strings.Join(SplitLabels(nsec3.Header().Name)[1:], "."), nsec3.Hash, nsec3.Iterations, nsec3.Salt)) // The name of the zone
|
||||
// if nextdomain equals the apex, it is considered The End. So in that case hashdom is always less then nextdomain
|
||||
if hashdom > owner && nextdom == apex {
|
||||
return true
|
||||
}
|
||||
|
||||
if hashdom > owner && hashdom <= nextdom {
|
||||
return true
|
||||
}
|
||||
|
||||
return false
|
||||
}
|
||||
|
||||
// NsecVerify verifies an denial of existence response with NSECs
|
||||
|
|
Loading…
Reference in New Issue