upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-07 22:42:05 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Use a binary search to find the NSEC3 closest encloser

Browse source 
maxlabels is the suffix length that corresponds to the latest
NXDOMAIN response.  minlabels is the suffix length that corresponds
to longest found existing name.

(cherry picked from commit 67f31c5046)
This commit is contained in:
Mark Andrews 2024-10-10 16:39:10 +11:00
parent 39c67a05ae
commit 14bb1f8aa0
1 changed files with 18 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
lib/ns/query.c
View file

@ -11311,24 +11311,33 @@ again:
* No NSEC proof available, return NSEC3 proofs instead.
*/
cname = dns_fixedname_initname(&cfixed);
/*
* Find the closest encloser.
* Find the closest encloser using a binary search.
* maxlabels: suffix length of NXDOMAIN result
* minlabels: suffix length of non NXDOMAIN result
*/
unsigned int maxlabels = dns_name_countlabels(name);
unsigned int minlabels = dns_name_countlabels(fname);
bool search = result == DNS_R_NXDOMAIN;
dns_name_copy(name, cname);
while (result == DNS_R_NXDOMAIN) {
labels = dns_name_countlabels(cname) - 1;
/*
* Sanity check.
*/
if (labels == 0U) {
goto cleanup;
while (search) {
labels = (maxlabels + minlabels) / 2;
dns_name_split(name, labels, NULL, cname);
if (labels == minlabels) {
break;
}
dns_name_split(cname, labels, NULL, cname);
result = dns_db_findext(qctx->db, cname, qctx->version,
dns_rdatatype_nsec, options, 0,
NULL, fname, &cm, &ci, NULL,
NULL);
if (result == DNS_R_NXDOMAIN) {
maxlabels = labels;
} else {
minlabels = labels;
}
}
/*
* Add closest (provable) encloser NSEC3.
*/