mirror of
https://github.com/NLnetLabs/unbound.git
synced 2024-09-21 06:37:08 +00:00
- Fix auth-zone NSEC3 response for wildcard nodata answers,
include the closest encloser in the answer. git-svn-id: file:///svn/unbound/trunk@5146 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
parent
937523285a
commit
ce8167a3bb
@ -1,6 +1,8 @@
|
|||||||
3 April 2019: Wouter
|
3 April 2019: Wouter
|
||||||
- Move goto label in answer_from_cache to the end of the function
|
- Move goto label in answer_from_cache to the end of the function
|
||||||
where it is more visible.
|
where it is more visible.
|
||||||
|
- Fix auth-zone NSEC3 response for wildcard nodata answers,
|
||||||
|
include the closest encloser in the answer.
|
||||||
|
|
||||||
2 April 2019: Wouter
|
2 April 2019: Wouter
|
||||||
- Fix auth-zone NSEC3 response for empty nonterminals with exact
|
- Fix auth-zone NSEC3 response for empty nonterminals with exact
|
||||||
|
@ -2997,6 +2997,7 @@ az_generate_wildcard_answer(struct auth_zone* z, struct query_info* qinfo,
|
|||||||
struct auth_data* wildcard, struct auth_data* node)
|
struct auth_data* wildcard, struct auth_data* node)
|
||||||
{
|
{
|
||||||
struct auth_rrset* rrset, *nsec;
|
struct auth_rrset* rrset, *nsec;
|
||||||
|
int insert_ce = 0;
|
||||||
if((rrset=az_domain_rrset(wildcard, qinfo->qtype)) != NULL) {
|
if((rrset=az_domain_rrset(wildcard, qinfo->qtype)) != NULL) {
|
||||||
/* wildcard has type, add it */
|
/* wildcard has type, add it */
|
||||||
if(!msg_add_rrset_an(z, region, msg, wildcard, rrset))
|
if(!msg_add_rrset_an(z, region, msg, wildcard, rrset))
|
||||||
@ -3023,6 +3024,10 @@ az_generate_wildcard_answer(struct auth_zone* z, struct query_info* qinfo,
|
|||||||
/* call other notype routine for dnssec notype denials */
|
/* call other notype routine for dnssec notype denials */
|
||||||
if(!az_generate_notype_answer(z, region, msg, wildcard))
|
if(!az_generate_notype_answer(z, region, msg, wildcard))
|
||||||
return 0;
|
return 0;
|
||||||
|
/* because the notype, there is no positive data with an
|
||||||
|
* RRSIG that indicates the wildcard position. Thus the
|
||||||
|
* wildcard qname denial needs to have a CE nsec3. */
|
||||||
|
insert_ce = 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* ce and node for dnssec denial of wildcard original name */
|
/* ce and node for dnssec denial of wildcard original name */
|
||||||
@ -3034,7 +3039,7 @@ az_generate_wildcard_answer(struct auth_zone* z, struct query_info* qinfo,
|
|||||||
dname_remove_label(&wildup, &wilduplen);
|
dname_remove_label(&wildup, &wilduplen);
|
||||||
if(!az_add_nsec3_proof(z, region, msg, wildup,
|
if(!az_add_nsec3_proof(z, region, msg, wildup,
|
||||||
wilduplen, msg->qinfo.qname,
|
wilduplen, msg->qinfo.qname,
|
||||||
msg->qinfo.qname_len, 0, 0, 1, 0))
|
msg->qinfo.qname_len, 0, insert_ce, 1, 0))
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
27
testdata/auth_nsec3_wild.rpl
vendored
27
testdata/auth_nsec3_wild.rpl
vendored
@ -200,4 +200,31 @@ i6pi4e3o98e7vtkpjfhqn7g77d3mjcnv.test-ns-signed.dev.internet.nl. 3600 IN NSEC3 1
|
|||||||
i6pi4e3o98e7vtkpjfhqn7g77d3mjcnv.test-ns-signed.dev.internet.nl. 3600 IN RRSIG NSEC3 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. xLysIqn3r3rdHE3GvwVjZwUyuFClhkhgrQdwyc66RuHKE3MfSuhVr9cHTCJzhipF5TwQTbUpLOr74r99bzdiIY8Xkgjy2M0nc76v1ObSGJdPPjGTevbhDOnavUURwOR/q0NqqO2iPrgFjOVMZ+8uwRJtCty2iAVZfVG+qDzs8hU=
|
i6pi4e3o98e7vtkpjfhqn7g77d3mjcnv.test-ns-signed.dev.internet.nl. 3600 IN RRSIG NSEC3 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. xLysIqn3r3rdHE3GvwVjZwUyuFClhkhgrQdwyc66RuHKE3MfSuhVr9cHTCJzhipF5TwQTbUpLOr74r99bzdiIY8Xkgjy2M0nc76v1ObSGJdPPjGTevbhDOnavUURwOR/q0NqqO2iPrgFjOVMZ+8uwRJtCty2iAVZfVG+qDzs8hU=
|
||||||
ENTRY_END
|
ENTRY_END
|
||||||
|
|
||||||
|
; Check that the reply for a wildcard nodata answer contains the NSEC3s.
|
||||||
|
; qname denial NSEC3, closest encloser NSEC3, and type bitmap NSEC3.
|
||||||
|
STEP 30 QUERY
|
||||||
|
ENTRY_BEGIN
|
||||||
|
REPLY RD DO
|
||||||
|
SECTION QUESTION
|
||||||
|
something.a.b.test-ns-signed.dev.internet.nl. IN AAAA
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
STEP 40 CHECK_ANSWER
|
||||||
|
ENTRY_BEGIN
|
||||||
|
MATCH all
|
||||||
|
REPLY QR AA RD RA DO NOERROR
|
||||||
|
SECTION QUESTION
|
||||||
|
something.a.b.test-ns-signed.dev.internet.nl. IN AAAA
|
||||||
|
SECTION ANSWER
|
||||||
|
SECTION AUTHORITY
|
||||||
|
test-ns-signed.dev.internet.nl. 3600 IN SOA ns.nlnetlabs.nl. ralph.nlnetlabs.nl. 4 14400 3600 604800 3600
|
||||||
|
test-ns-signed.dev.internet.nl. 3600 IN RRSIG SOA 8 4 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. ybb0Hc7NC+QOFEEv4cX2+Umlk+miiOAHmeP2Uwvg6lqfxkk+3g7yWBEKMinXjLKz0odWZ6fki6M/3yBPQX8SV0OCRY5gYvAHAjbxAIHozIM+5iwOkRQhNF1DRgQ3BLjL93f6T5e5Z4y1812iOpu4GYswXW/UTOZACXz2UiaCPAg= ;{id = 32784}
|
||||||
|
7ag3p2pfrvq09dpn63cvga8ub1rnrrg1.test-ns-signed.dev.internet.nl. 3600 IN NSEC3 1 0 1 - 93stp7o7i5n9gb83uu7vv6h8qltk14ig TXT RRSIG
|
||||||
|
7ag3p2pfrvq09dpn63cvga8ub1rnrrg1.test-ns-signed.dev.internet.nl. 3600 IN RRSIG NSEC3 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. gtxoiTa3FRUqoRLvkWSxmWQ+DfijVd26gpKH3+GmGIcNB/sr/Cf8kERRwVVHvgzYIcvdJcys5b2LUXnZJwcdAlx7efZPWgNZzWxJrw6ES25LCWJOrp31isWn9FlAZGIbnpyEXxD2apBSmtyPnKbTgU6lHHS9jrsYHu4G8Zouv3k= ;{id = 32784}
|
||||||
|
fee0c2kfhi6bnljce6vehaenqq3pbupu.test-ns-signed.dev.internet.nl. 3600 IN NSEC3 1 0 1 - i6pi4e3o98e7vtkpjfhqn7g77d3mjcnv
|
||||||
|
fee0c2kfhi6bnljce6vehaenqq3pbupu.test-ns-signed.dev.internet.nl. 3600 IN RRSIG NSEC3 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. WIb3ISP1nlafbyWoWa4z7sG5IS+V86PyvEMHdD/64hgsFkrCu483XK7VNnBz28SL/631JXA1R19O+UxeWhTUyctp8QSt6cEZcMPY8b7yG97rNFNvhSw75rSXXt+JwgIYHPHQV5oqPtVmEpQM5SfJd+hs+Nn1bJcWB3UaESNNAMQ= ;{id = 32784}
|
||||||
|
i6pi4e3o98e7vtkpjfhqn7g77d3mjcnv.test-ns-signed.dev.internet.nl. 3600 IN NSEC3 1 0 1 - kl94uofq16t2vlq0bmampf6e4o9k5hbi A AAAA RRSIG
|
||||||
|
i6pi4e3o98e7vtkpjfhqn7g77d3mjcnv.test-ns-signed.dev.internet.nl. 3600 IN RRSIG NSEC3 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. xLysIqn3r3rdHE3GvwVjZwUyuFClhkhgrQdwyc66RuHKE3MfSuhVr9cHTCJzhipF5TwQTbUpLOr74r99bzdiIY8Xkgjy2M0nc76v1ObSGJdPPjGTevbhDOnavUURwOR/q0NqqO2iPrgFjOVMZ+8uwRJtCty2iAVZfVG+qDzs8hU= ;{id = 32784}
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
SCENARIO_END
|
SCENARIO_END
|
||||||
|
Loading…
Reference in New Issue
Block a user