Fix nsec3verify for wildcard at the n.c. level
When a wildcard is not denied and the closest encloser *is* denied we have a problem. Thank to Peter van Dijk for pinging me
This commit is contained in:
parent
5013a4058f
commit
843abbef36
1
msg.go
1
msg.go
|
@ -57,6 +57,7 @@ var (
|
|||
ErrDenialNc error = &Error{Err: "no covering NSEC3 found for next closer"}
|
||||
ErrDenialSo error = &Error{Err: "no covering NSEC3 found for source of synthesis"}
|
||||
ErrDenialBit error = &Error{Err: "type not denied in NSEC3 bitmap"}
|
||||
ErrDenialWc error = &Error{Err: "wildcard exist, but closest encloser is denied"}
|
||||
)
|
||||
|
||||
// A manually-unpacked version of (id, bits).
|
||||
|
|
15
nsec3.go
15
nsec3.go
|
@ -160,10 +160,23 @@ func (m *Msg) Nsec3Verify(q Question) (int, error) {
|
|||
return 0, ErrDenialNc // add next closer name here
|
||||
}
|
||||
// For NODATA we need to to check if the matching nsec3 has to correct type bit map
|
||||
// And we need to check that the wildcard does NOT exist
|
||||
for _, nsec := range nsec3 {
|
||||
if nsec.Cover(so) {
|
||||
sodenied = true
|
||||
break
|
||||
}
|
||||
}
|
||||
if sodenied {
|
||||
// Whoa, the closest encloser is denied, but there does exist
|
||||
// a wildcard a that level. That's not good
|
||||
return 0, ErrDenialWc
|
||||
}
|
||||
|
||||
goto NoData
|
||||
}
|
||||
|
||||
// Check if the source of synthesis is covered and thus denied
|
||||
// Check if the source of synthesis is covered and thus also denied
|
||||
for _, nsec := range nsec3 {
|
||||
if nsec.Cover(so) {
|
||||
sodenied = true
|
||||
|
|
Loading…
Reference in New Issue