detect when closest-encloser name is too long

there was a database bug in which dns_db_find() could get a partial match for the query name, but still set foundname to match the full query name. this triggered an assertion when query_addwildcardproof() assumed that foundname would be shorter. the database bug has been fixed, but in case it happens again, we can just copy the name instead of splitting it. we will also log a warning that the closest-encloser name was invalid.
2026-05-28 04:34:54 -04:00 · 2025-01-08 18:08:05 -08:00 · 2025-01-08 18:08:05 -08:00 · 232dac8cd5
commit 232dac8cd5
parent 71e1c91695
1 changed files with 9 additions and 1 deletions
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@ -11167,7 +11167,15 @@ again:
 		 * Add no qname proof.
 		 */
 		labels = dns_name_countlabels(cname) + 1;
-		if (dns_name_countlabels(name) == labels) {
+		if (labels > maxlabels) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+			dns_name_format(cname, namebuf, sizeof(namebuf));
+			ns_client_log(qctx->client, DNS_LOGCATEGORY_DNSSEC,
+				      NS_LOGMODULE_QUERY, ISC_LOG_WARNING,
+				      "closest-encloser name too long: %s",
+				      namebuf);
+			dns_name_copy(name, wname);
+		} else if (labels == maxlabels) {
 			dns_name_copy(name, wname);
 		} else {
 			dns_name_split(name, labels, NULL, wname);