only check the bit map

2026-05-28 04:34:54 -04:00 · 2018-07-31 14:52:48 +10:00 · 2018-07-31 14:52:48 +10:00 · a94db46631
commit a94db46631
parent c3c0481293
3 changed files with 47 additions and 9 deletions
--- a/bin/tests/system/verify/clean.sh
+++ b/bin/tests/system/verify/clean.sh
@ -7,12 +7,11 @@
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.

-rm -f zones/*.good
-rm -f zones/*.good.tmp
-rm -f zones/*.bad
-rm -f zones/*.bad.tmp
-rm -f zones/*.out*
-rm -f zones/dsset-*
-rm -f zones/K*
-rm -f verify.out*
 rm -f ns*/named.lock
+rm -f verify.out*
+rm -f zones/*.bad
+rm -f zones/*.good
+rm -f zones/*.out*
+rm -f zones/*.tmp
+rm -f zones/K*
+rm -f zones/dsset-*
--- a/bin/tests/system/verify/zones/genzones.sh
+++ b/bin/tests/system/verify/zones/genzones.sh
@ -75,6 +75,28 @@ cp unsigned.db ${file}.tmp
 echo "@ DNAME data" >> ${file}.tmp
 $SIGNER -3 - -SP -o ${zone} -f ${file} ${file}.tmp > s.out$n 2>&1 || dumpit s.out$n

+#
+# generate an NSEC record like
+#	aba NSEC FOO ...
+# then downcase all the FOO records so the next name in the database
+# becomes foo when the zone is loaded.
+#
+setup nsec-next-name-case-mismatch good
+ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
+zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg2.out$n` || dumpit kg2.out$n
+cat << EOF > ${zone}.tmp
+\$TTL 0
+@ IN SOA  foo . ( 1 28800 7200 604800 1800 )
+@ NS foo
+\$include $ksk.key
+\$include $zsk.key
+FOO AAAA ::1
+FOO A 127.0.0.2
+aba CNAME FOO
+EOF
+$SIGNER -zP -o ${zone} -f ${file}.tmp ${zone}.tmp > s.out$n 2>&1 || dumpit s.out$n
+sed 's/^FOO\./foo\./' < ${file}.tmp > ${file}
+
 # A set of zones with only DNSKEY records.
 setup zsk-only.dnskeyonly bad
 key1=`$KEYGEN -a rsasha256 ${zone} 2>kg.out` || dumpit kg.out$n
--- a/lib/dns/zoneverify.c
+++ b/lib/dns/zoneverify.c
@ -219,6 +219,21 @@ goodsig(const vctx_t *vctx, dns_rdata_t *sigrdata, const dns_name_t *name,
 	return (ISC_FALSE);
 }

+static isc_boolean_t
+nsec_bitmap_equal(dns_rdata_nsec_t *nsec, dns_rdata_t *rdata) {
+	isc_result_t result;
+	dns_rdata_nsec_t tmpnsec;
+
+	result = dns_rdata_tostruct(rdata, &tmpnsec, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	if (nsec->len != tmpnsec.len ||
+	    memcmp(nsec->typebits, tmpnsec.typebits, nsec->len) != 0) {
+		return (ISC_FALSE);
+	}
+	return (ISC_TRUE);
+}
+
 static isc_result_t
 verifynsec(const vctx_t *vctx, const dns_name_t *name, dns_dbnode_t *node,
 	   const dns_name_t *nextname, isc_result_t *vresult)
@ -256,6 +271,7 @@ verifynsec(const vctx_t *vctx, const dns_name_t *name, dns_dbnode_t *node,
 	dns_rdataset_current(&rdataset, &rdata);
 	result = dns_rdata_tostruct(&rdata, &nsec, NULL);
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
 	/* Check next name is consistent */
 	if (!dns_name_equal(&nsec.next, nextname)) {
 		dns_name_format(name, namebuf, sizeof(namebuf));
@ -268,6 +284,7 @@ verifynsec(const vctx_t *vctx, const dns_name_t *name, dns_dbnode_t *node,
 		*vresult = ISC_R_FAILURE;
 		goto done;
 	}
+
 	/* Check bit map is consistent */
 	result = dns_nsec_buildrdata(vctx->db, vctx->ver, node, nextname,
 				     buffer, &tmprdata);
@ -276,7 +293,7 @@ verifynsec(const vctx_t *vctx, const dns_name_t *name, dns_dbnode_t *node,
 				     isc_result_totext(result));
 		goto done;
 	}
-	if (dns_rdata_compare(&rdata, &tmprdata) != 0) {
+	if (!nsec_bitmap_equal(&nsec, &tmprdata)) {
 		dns_name_format(name, namebuf, sizeof(namebuf));
 		zoneverify_log_error(vctx,
 				     "Bad NSEC record for %s, bit map "