From c79ae4e8ca89b843c234ad73c8c95c0edf550aba Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Wed, 10 Jun 2026 17:58:31 -0700 Subject: [PATCH] Unvalidated opt-out NSEC3 could be accepted in insecurity proof Ignore NSEC3 records that failed in the sub-validator when determining whether an insecure delegation is legitimate. Fixes: isc-projects/bind9#5970 (cherry picked from commit 1bd458d3ba2416465a90a9598e2bee1398120720) --- lib/dns/validator.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/lib/dns/validator.c b/lib/dns/validator.c index da41e41981..10108d7501 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -306,6 +306,12 @@ is_insecure_referral(dns_validator_t *val, dns_name_t *name, if (result != ISC_R_SUCCESS) { return false; } + if (set.trust < dns_trust_secure) { + if (dns_rdataset_isassociated(&set)) { + dns_rdataset_disassociate(&set); + } + goto trynsec3; + } } INSIST(set.type == dns_rdatatype_nsec); @@ -337,6 +343,12 @@ trynsec3: dns_rdataset_disassociate(&set); continue; } + if (set.trust < dns_trust_secure) { + if (dns_rdataset_isassociated(&set)) { + dns_rdataset_disassociate(&set); + } + continue; + } dns_name_getlabel(&nsec3name, 0, &hashlabel); isc_region_consume(&hashlabel, 1); isc_buffer_init(&buffer, owner, sizeof(owner)); @@ -905,6 +917,10 @@ validator_callback_nsec(void *arg) { val->authfail++; FALLTHROUGH; default: + if (val->nxset != NULL) { + val->nxset->attributes &= + ~DNS_RDATASETATTR_NCACHE; + } result = validate_nx(val, true); } }