From 5798ed1fa6fcd3597b15b331b3af7b0f31e244be Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 13 Jan 2025 11:40:19 +0100 Subject: [PATCH 1/2] Revert "Use a binary search to find the NSEC3 closest encloser" This reverts commit 14bb1f8aa0a088881340ab2fb1859d96fca077b0. --- lib/ns/query.c | 27 +++++++++------------------ 1 file changed, 9 insertions(+), 18 deletions(-) diff --git a/lib/ns/query.c b/lib/ns/query.c index a263dc9828..29000be3ee 100644 --- a/lib/ns/query.c +++ b/lib/ns/query.c @@ -11324,33 +11324,24 @@ again: * No NSEC proof available, return NSEC3 proofs instead. */ cname = dns_fixedname_initname(&cfixed); - /* - * Find the closest encloser using a binary search. - * maxlabels: suffix length of NXDOMAIN result - * minlabels: suffix length of non NXDOMAIN result + * Find the closest encloser. */ - unsigned int maxlabels = dns_name_countlabels(name); - unsigned int minlabels = dns_name_countlabels(fname); - bool search = result == DNS_R_NXDOMAIN; dns_name_copy(name, cname); - while (search) { - labels = (maxlabels + minlabels) / 2; - dns_name_split(name, labels, NULL, cname); - if (labels == minlabels) { - break; + while (result == DNS_R_NXDOMAIN) { + labels = dns_name_countlabels(cname) - 1; + /* + * Sanity check. + */ + if (labels == 0U) { + goto cleanup; } + dns_name_split(cname, labels, NULL, cname); result = dns_db_findext(qctx->db, cname, qctx->version, dns_rdatatype_nsec, options, 0, NULL, fname, &cm, &ci, NULL, NULL); - if (result == DNS_R_NXDOMAIN) { - maxlabels = labels; - } else { - minlabels = labels; - } } - /* * Add closest (provable) encloser NSEC3. */ From 8c9d31edaf12d62bab361a67a3805b57bb123158 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 13 Jan 2025 11:42:26 +0100 Subject: [PATCH 2/2] Revert "Test that the correct NSEC3 closest encloser is returned" This reverts commit fd2f1bdf02c77a005e0ab843ea08605986851fe7. --- bin/tests/system/dnssec/tests.sh | 30 ------------------------------ 1 file changed, 30 deletions(-) diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index d94c267074..22b438f857 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -4487,36 +4487,6 @@ n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) -echo_i "checking NSEC3 nxdomain response closest encloser with 0 ENT ($n)" -ret=0 -dig_with_opts @10.53.0.3 b.b.b.b.b.a.nsec3.example. >dig.out.ns3.test$n -grep "status: NXDOMAIN" dig.out.ns3.test$n >/dev/null || ret=1 -pat="^6OVDUHTN094ML2PV8AN90U0DPU823GH2\.nsec3.example\..*NSEC3 1 0 0 - 7AT0S0RIDCJRFF2M5H5AAV22CSFJBUL4 A RRSIG\$" -grep "$pat" dig.out.ns3.test$n >/dev/null || ret=1 -n=$((n + 1)) -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -echo_i "checking NSEC3 nxdomain response closest encloser with 1 ENTs ($n)" -ret=0 -dig_with_opts @10.53.0.3 b.b.b.b.b.a.a.nsec3.example. >dig.out.ns3.test$n -grep "status: NXDOMAIN" dig.out.ns3.test$n >/dev/null || ret=1 -pat="^NGCJFSOLJUUE27PFNQNJIME4TQ0OU2DH\.nsec3.example\..*NSEC3 1 0 0 - R8EVDMNIGNOKME4LH2H90OSP2PRSNJ1Q\$" -grep "$pat" dig.out.ns3.test$n >/dev/null || ret=1 -n=$((n + 1)) -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -echo_i "checking NSEC3 nxdomain response closest encloser with 2 ENTs ($n)" -ret=0 -dig_with_opts @10.53.0.3 b.b.b.b.b.a.a.a.nsec3.example. >dig.out.ns3.test$n -grep "status: NXDOMAIN" dig.out.ns3.test$n >/dev/null || ret=1 -pat="^H7RHPDCHSVVRAND332F878C8AB6IBJQV\.nsec3.example\..*NSEC3 1 0 0 - K8IG76R2UPQ13IKFO49L7IB9JRVB6QJI\$" -grep "$pat" dig.out.ns3.test$n >/dev/null || ret=1 -n=$((n + 1)) -if [ "$ret" -ne 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - echo_i "checking that records other than DNSKEY are not signed by a revoked key by dnssec-signzone ($n)" ret=0 (