Handle NSEC3 records that point to the apex
This commit is contained in:
parent
04b30732ac
commit
1171215fc9
|
@ -204,7 +204,9 @@ Check:
|
||||||
fmt.Printf(";+ Correct denial of existence (NSEC3/NODATA)\n")
|
fmt.Printf(";+ Correct denial of existence (NSEC3/NODATA)\n")
|
||||||
default:
|
default:
|
||||||
// w == 0
|
// w == 0
|
||||||
fmt.Printf(";- Incorrect denial of existence (NSEC3): %s\n",err.Error())
|
if err != nil {
|
||||||
|
fmt.Printf(";- Incorrect denial of existence (NSEC3): %s\n",err.Error())
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
14
nsec3.go
14
nsec3.go
|
@ -73,8 +73,18 @@ func (nsec3 *RR_NSEC3) Match(domain string) bool {
|
||||||
func (nsec3 *RR_NSEC3) Cover(domain string) bool {
|
func (nsec3 *RR_NSEC3) Cover(domain string) bool {
|
||||||
hashdom := strings.ToUpper(HashName(domain, nsec3.Hash, nsec3.Iterations, nsec3.Salt))
|
hashdom := strings.ToUpper(HashName(domain, nsec3.Hash, nsec3.Iterations, nsec3.Salt))
|
||||||
nextdom := strings.ToUpper(nsec3.NextDomain)
|
nextdom := strings.ToUpper(nsec3.NextDomain)
|
||||||
owner := strings.ToUpper(SplitLabels(nsec3.Header().Name)[0])
|
owner := strings.ToUpper(SplitLabels(nsec3.Header().Name)[0]) // The hashed part
|
||||||
return hashdom > owner && hashdom <= nextdom
|
apex := strings.ToUpper(HashName(strings.Join(SplitLabels(nsec3.Header().Name)[1:], "."), nsec3.Hash, nsec3.Iterations, nsec3.Salt)) // The name of the zone
|
||||||
|
// if nextdomain equals the apex, it is considered The End. So in that case hashdom is always less then nextdomain
|
||||||
|
if hashdom > owner && nextdom == apex {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
|
if hashdom > owner && hashdom <= nextdom {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
// NsecVerify verifies an denial of existence response with NSECs
|
// NsecVerify verifies an denial of existence response with NSECs
|
||||||
|
|
Loading…
Reference in New Issue