Fix nsec3verify for wildcard at the n.c. level
When a wildcard is not denied and the closest encloser *is* denied we have a problem. Thank to Peter van Dijk for pinging me
This commit is contained in:
parent
5013a4058f
commit
843abbef36
1
msg.go
1
msg.go
|
@ -57,6 +57,7 @@ var (
|
||||||
ErrDenialNc error = &Error{Err: "no covering NSEC3 found for next closer"}
|
ErrDenialNc error = &Error{Err: "no covering NSEC3 found for next closer"}
|
||||||
ErrDenialSo error = &Error{Err: "no covering NSEC3 found for source of synthesis"}
|
ErrDenialSo error = &Error{Err: "no covering NSEC3 found for source of synthesis"}
|
||||||
ErrDenialBit error = &Error{Err: "type not denied in NSEC3 bitmap"}
|
ErrDenialBit error = &Error{Err: "type not denied in NSEC3 bitmap"}
|
||||||
|
ErrDenialWc error = &Error{Err: "wildcard exist, but closest encloser is denied"}
|
||||||
)
|
)
|
||||||
|
|
||||||
// A manually-unpacked version of (id, bits).
|
// A manually-unpacked version of (id, bits).
|
||||||
|
|
15
nsec3.go
15
nsec3.go
|
@ -160,10 +160,23 @@ func (m *Msg) Nsec3Verify(q Question) (int, error) {
|
||||||
return 0, ErrDenialNc // add next closer name here
|
return 0, ErrDenialNc // add next closer name here
|
||||||
}
|
}
|
||||||
// For NODATA we need to to check if the matching nsec3 has to correct type bit map
|
// For NODATA we need to to check if the matching nsec3 has to correct type bit map
|
||||||
|
// And we need to check that the wildcard does NOT exist
|
||||||
|
for _, nsec := range nsec3 {
|
||||||
|
if nsec.Cover(so) {
|
||||||
|
sodenied = true
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if sodenied {
|
||||||
|
// Whoa, the closest encloser is denied, but there does exist
|
||||||
|
// a wildcard a that level. That's not good
|
||||||
|
return 0, ErrDenialWc
|
||||||
|
}
|
||||||
|
|
||||||
goto NoData
|
goto NoData
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check if the source of synthesis is covered and thus denied
|
// Check if the source of synthesis is covered and thus also denied
|
||||||
for _, nsec := range nsec3 {
|
for _, nsec := range nsec3 {
|
||||||
if nsec.Cover(so) {
|
if nsec.Cover(so) {
|
||||||
sodenied = true
|
sodenied = true
|
||||||
|
|
Loading…
Reference in New Issue