diff options
| author | Dag-Erling Smørgrav <des@FreeBSD.org> | 2015-12-12 22:18:57 +0000 | 
|---|---|---|
| committer | Dag-Erling Smørgrav <des@FreeBSD.org> | 2015-12-12 22:18:57 +0000 | 
| commit | a7af7146c91c816cb83e0c5812eca7019531acb5 (patch) | |
| tree | 6e64b645522115b817ba7eabd4e4ce58f129e8c7 /validator/val_nsec.c | |
| parent | 835a7e7a4dd68819f7610dafdf9277d3852aef6a (diff) | |
Diffstat (limited to 'validator/val_nsec.c')
| -rw-r--r-- | validator/val_nsec.c | 28 | 
1 files changed, 25 insertions, 3 deletions
| diff --git a/validator/val_nsec.c b/validator/val_nsec.c index bdfe3c8fa18f..f104a347c786 100644 --- a/validator/val_nsec.c +++ b/validator/val_nsec.c @@ -1,5 +1,5 @@  /* - * validator/val_nsec.c - validator NSEC denial of existance functions. + * validator/val_nsec.c - validator NSEC denial of existence functions.   *   * Copyright (c) 2007, NLnet Labs. All rights reserved.   * @@ -38,7 +38,7 @@   *   * This file contains helper functions for the validator module.   * The functions help with NSEC checking, the different NSEC proofs - * for denial of existance, and proofs for presence of types. + * for denial of existence, and proofs for presence of types.   */  #include "config.h"  #include "validator/val_nsec.h" @@ -279,7 +279,7 @@ val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve,  		return sec_status_insecure;  	} -	/* NSEC proof did not conlusively point to DS or no DS */ +	/* NSEC proof did not conclusively point to DS or no DS */  	return sec_status_unchecked;  } @@ -340,6 +340,28 @@ int nsec_proves_nodata(struct ub_packed_rrset_key* nsec,  				*wc = ce;  				return 1;  			} +		} else { +			/* See if the next owner name covers a wildcard +			 * empty non-terminal. */ +			while (dname_strict_subdomain_c(nm, nsec->rk.dname)) { +				/* wildcard does not apply if qname below +				 * the name that exists under the '*' */ +				if (dname_subdomain_c(qinfo->qname, nm)) +					break; +				/* but if it is a wildcard and qname is below +				 * it, then the wildcard applies. The wildcard +				 * is an empty nonterminal. nodata proven. */ +				if (dname_is_wild(nm)) { +					size_t ce_len = ln; +					uint8_t* ce = nm; +					dname_remove_label(&ce, &ce_len); +					if(dname_strict_subdomain_c(qinfo->qname, ce)) { +						*wc = ce; +						return 1; +					} +				} +				dname_remove_label(&nm, &ln); +			}  		}  		/* Otherwise, this NSEC does not prove ENT and is not a  | 
