Handle NSEC3 records that point to the apex

2012-01-22 15:40:59 +01:00 · 2012-01-22 15:40:59 +01:00 · 1171215fc9
parent 04b30732ac
commit 1171215fc9
2 changed files with 15 additions and 3 deletions
--- a/examples/q/q.go
+++ b/examples/q/q.go
@ -204,7 +204,9 @@ Check:
                fmt.Printf(";+ Correct denial of existence (NSEC3/NODATA)\n")
        default:
                // w == 0
-	        fmt.Printf(";- Incorrect denial of existence (NSEC3): %s\n",err.Error())
+                if err != nil {
+	                fmt.Printf(";- Incorrect denial of existence (NSEC3): %s\n",err.Error())
+                }
        }
 }

--- a/nsec3.go
+++ b/nsec3.go
@ -73,8 +73,18 @@ func (nsec3 *RR_NSEC3) Match(domain string) bool {
 func (nsec3 *RR_NSEC3) Cover(domain string) bool {
 	hashdom := strings.ToUpper(HashName(domain, nsec3.Hash, nsec3.Iterations, nsec3.Salt))
 	nextdom := strings.ToUpper(nsec3.NextDomain)
-	owner := strings.ToUpper(SplitLabels(nsec3.Header().Name)[0])
-	return hashdom > owner && hashdom <= nextdom
+	owner := strings.ToUpper(SplitLabels(nsec3.Header().Name)[0])   // The hashed part
+        apex  := strings.ToUpper(HashName(strings.Join(SplitLabels(nsec3.Header().Name)[1:], "."), nsec3.Hash, nsec3.Iterations, nsec3.Salt)) // The name of the zone
+        // if nextdomain equals the apex, it is considered The End. So in that case hashdom is always less then nextdomain
+        if hashdom > owner && nextdom == apex {
+                return true
+        }
+
+	if hashdom > owner && hashdom <= nextdom {
+                return true
+        }
+
+        return false
 }

 // NsecVerify verifies an denial of existence response with NSECs