upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-11 05:00:00 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

fix: usr: Return the correct NSEC3 records for NXDOMAIN responses

Browse source 
The wrong NSEC3 records were sometimes returned as proof that the QNAME
did not exist. This has been fixed.

Closes #5292

Merge branch '5292-wrong-nsec3-chosen-for-no-qname-proof' into 'main'

See merge request isc-projects/bind9!10447
This commit is contained in:
Michał Kępień 2025-05-08 20:42:09 +00:00
commit 1ec1535827
1 changed files with 3 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
lib/ns/query.c
View file

@ -11015,6 +11015,7 @@ again:
*/
unsigned int maxlabels = dns_name_countlabels(name);
unsigned int minlabels = dns_name_countlabels(fname);
unsigned int namelabels = maxlabels;
bool search = result == DNS_R_NXDOMAIN;
dns_name_copy(name, cname);
while (search) {
@ -11072,7 +11073,7 @@ again:
* Add no qname proof.
*/
labels = dns_name_countlabels(cname) + 1;
if (labels > maxlabels) {
if (labels > namelabels) {
char namebuf[DNS_NAME_FORMATSIZE];
dns_name_format(cname, namebuf, sizeof(namebuf));
ns_client_log(qctx->client, DNS_LOGCATEGORY_DNSSEC,
@ -11080,7 +11081,7 @@ again:
"closest-encloser name too long: %s",
namebuf);
dns_name_copy(name, wname);
} else if (labels == maxlabels) {
} else if (labels == namelabels) {
dns_name_copy(name, wname);
} else {
dns_name_split(name, labels, NULL, wname);