Require secure trust for covering NSEC in the RBT cache

The guard against synthesizing negative answers from a pending NSEC
(#5977) was only added to the QP cache's find_coveringnsec(); the RBT
cache database kept binding any covering NSEC regardless of trust.  On
builds configured with --with-cachedb=rbt this lets a piggy-backed,
unvalidated NSEC drive a synthesized NXDOMAIN, reviving the cache
poisoning that was fixed for the default cache.

query_coveringnsec() only verifies the covering NSEC's trust on its
NODATA path; the NXDOMAIN path relies on the database returning a
secure record.  Require the NSEC and its RRSIG to be dns_trust_secure
in find_coveringnsec(), matching the QP cache.

Assisted-by: Claude:claude-opus-4-8
This commit is contained in:
Nicki Křížek 2026-07-09 08:55:01 +00:00
parent 86b87dfd29
commit e675db2e49

View file

@ -728,7 +728,9 @@ find_coveringnsec(rbtdb_search_t *search, const dns_name_t *name,
}
header_prev = header;
}
if (found != NULL) {
if (found != NULL && found->trust == dns_trust_secure &&
(foundsig == NULL || foundsig->trust == dns_trust_secure))
{
dns__rbtdb_bindrdataset(search->rbtdb, node, found, now,
nlocktype, rdataset DNS__DB_FLARG_PASS);
if (foundsig != NULL) {