upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-28 04:34:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Properly build the NSEC/NSEC3 type bit map

Browse source 
DNSKEY was incorrectly being added to the NESC/NSEC3 type bit map
when it was obscured by the delegation.  This lead to zone verification
failures.

(cherry picked from commit ec3c624814)
This commit is contained in:
Mark Andrews 2024-01-09 12:12:33 +11:00
parent 32589b2be7
commit 29292902c0
1 changed files with 1 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
lib/dns/zoneverify.c
View file

@ -939,7 +939,6 @@ verifynode(vctx_t *vctx, const dns_name_t *name, dns_dbnode_t *node,
* other than NSEC and DS is not signed at a delegation.
*/
if (rdataset.type != dns_rdatatype_rrsig &&
rdataset.type != dns_rdatatype_dnskey &&
(!delegation || rdataset.type == dns_rdatatype_ds ||
rdataset.type == dns_rdatatype_nsec))
{
@ -954,9 +953,7 @@ verifynode(vctx_t *vctx, const dns_name_t *name, dns_dbnode_t *node,
if (rdataset.type > maxtype) {
maxtype = rdataset.type;
}
} else if (rdataset.type != dns_rdatatype_rrsig &&
rdataset.type != dns_rdatatype_dnskey)
{
} else if (rdataset.type != dns_rdatatype_rrsig) {
if (rdataset.type == dns_rdatatype_ns) {
dns_nsec_setbit(types, rdataset.type, 1);
if (rdataset.type > maxtype) {