Unvalidated opt-out NSEC3 could be accepted in insecurity proof

Ignore NSEC3 records that failed in the sub-validator when determining
whether an insecure delegation is legitimate.

Fixes: isc-projects/bind9#5970
(cherry picked from commit 1bd458d3ba)
This commit is contained in:
Evan Hunt 2026-06-10 17:58:31 -07:00
parent 3e6cef2ac6
commit c79ae4e8ca

View file

@ -306,6 +306,12 @@ is_insecure_referral(dns_validator_t *val, dns_name_t *name,
if (result != ISC_R_SUCCESS) {
return false;
}
if (set.trust < dns_trust_secure) {
if (dns_rdataset_isassociated(&set)) {
dns_rdataset_disassociate(&set);
}
goto trynsec3;
}
}
INSIST(set.type == dns_rdatatype_nsec);
@ -337,6 +343,12 @@ trynsec3:
dns_rdataset_disassociate(&set);
continue;
}
if (set.trust < dns_trust_secure) {
if (dns_rdataset_isassociated(&set)) {
dns_rdataset_disassociate(&set);
}
continue;
}
dns_name_getlabel(&nsec3name, 0, &hashlabel);
isc_region_consume(&hashlabel, 1);
isc_buffer_init(&buffer, owner, sizeof(owner));
@ -905,6 +917,10 @@ validator_callback_nsec(void *arg) {
val->authfail++;
FALLTHROUGH;
default:
if (val->nxset != NULL) {
val->nxset->attributes &=
~DNS_RDATASETATTR_NCACHE;
}
result = validate_nx(val, true);
}
}