3945. [bug] Invalid wildcard expansions could be incorrectly

accepted by the validator. [RT #37093]
2026-04-22 14:49:20 -04:00 · 2014-09-05 12:10:55 +10:00 · 2014-09-05 12:10:55 +10:00 · 2fa1fc5332
commit 2fa1fc5332
parent 06dbd20c66
4 changed files with 33 additions and 8 deletions
--- a/3
+++ b/3
@ -1,3 +1,6 @@
+3945.	[bug]		Invalid wildcard expansions could be incorrectly
+			accepted by the validator. [RT #37093]
+
 3944.	[test]		Added a regression test for "server-id". [RT #37057]

 3943.	[func]		SERVFAIL responses can now be cached for a
--- a/lib/dns/nsec.c
+++ b/lib/dns/nsec.c
@ -436,7 +436,7 @@ dns_nsec_noexistnodata(dns_rdatatype_t type, dns_name_t *name,
 						  nlabels, &common);
 		}
 		result = dns_name_concatenate(dns_wildcardname, &common,
-					       wild, NULL);
+					      wild, NULL);
 		if (result != ISC_R_SUCCESS) {
 			dns_rdata_freestruct(&nsec);
 			(*logit)(arg, ISC_LOG_DEBUG(3),
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@ -5271,10 +5271,17 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 		}
 	}

-	if (valrdataset != NULL)
-		result = valcreate(fctx, addrinfo, name, fctx->type,
-				   valrdataset, valsigrdataset, valoptions,
-				   task);
+	if (valrdataset != NULL) {
+		dns_rdatatype_t vtype = fctx->type;
+		if (CHAINING(valrdataset)) {
+			if (valrdataset->type == dns_rdatatype_cname)
+				vtype = dns_rdatatype_cname;
+			else
+				vtype = dns_rdatatype_dname;
+		}
+		result = valcreate(fctx, addrinfo, name, vtype, valrdataset,
+				   valsigrdataset, valoptions, task);
+	}

 	if (result == ISC_R_SUCCESS && have_answer) {
 		fctx->attributes |= FCTX_ATTR_HAVEANSWER;
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@ -909,12 +909,26 @@ authvalidated(isc_task_t *task, isc_event_t *event) {
 						devent->name;
 			}
 			if (!exists) {
+				dns_name_t *closest;
+				unsigned int clabels;
+
 				val->attributes |= VALATTR_FOUNDNOQNAME;
-				val->attributes |= VALATTR_FOUNDCLOSEST;
+
+				closest = dns_fixedname_name(&val->closest);
+				clabels = dns_name_countlabels(closest);
+				/*
+				 * If we are validating a wildcard response
+				 * clabels will not be zero.  We then need
+				 * to check if the generated wilcard from
+				 * dns_nsec_noexistnodata is consistent with
+				 * the wildcard used to generate the response.
+				 */
+				if (clabels == 0 ||
+				    dns_name_countlabels(wild) == clabels + 1)
+					val->attributes |= VALATTR_FOUNDCLOSEST;
 				/*
 				 * The NSEC noqname proof also contains
 				 * the closest encloser.
-
 				 */
 				if (NEEDNOQNAME(val))
 					proofs[DNS_VALIDATOR_NOQNAMEPROOF] =
@ -2805,7 +2819,8 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
 	if (!NEEDNODATA(val) && !NEEDNOWILDCARD(val) && NEEDNOQNAME(val)) {
 		if (!FOUNDNOQNAME(val))
 			findnsec3proofs(val);
-		if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val) && !FOUNDOPTOUT(val)) {
+		if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val) &&
+		    !FOUNDOPTOUT(val)) {
 			validator_log(val, ISC_LOG_DEBUG(3),
 				      "marking as secure, noqname proof found");
 			marksecure(val->event);