upstream/knot-dns
1
0
Fork 0
mirror of https://gitlab.nic.cz/knot/knot-dns.git synced 2026-06-09 00:22:42 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

semantic check: don't require a glue which is under another delegation

Browse source
This commit is contained in:
Libor Peltan 2019-08-22 16:55:01 +02:00
parent e39993e08f
commit fbd132114b
3 changed files with 25 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
src/knot/zone/semantic-check.c
View file

@ -481,12 +481,15 @@ static int check_delegation(const zone_node_t *node, semchecks_data_t *data)
for (int i = 0; i < ns_rrs->count; ++i) {
knot_rdata_t *ns_rr = knot_rdataset_at(ns_rrs, i);
const knot_dname_t *ns_dname = knot_ns_name(ns_rr);
if (knot_dname_in_bailiwick(ns_dname, data->zone->apex->owner) < 0) {
continue;
const zone_node_t *glue_node = NULL, *glue_encloser = NULL;
int res = zone_contents_find_dname(data->zone, ns_dname, &glue_node, &glue_encloser, NULL);
if (res == KNOT_EOUTOFZONE) {
continue; // NS is out of bailiwick
}
if (glue_encloser != NULL && glue_encloser != node &&
(glue_encloser->flags & (NODE_FLAGS_DELEG | NODE_FLAGS_NONAUTH))) {
continue; // NS is below another delegation
}
const zone_node_t *glue_node =
zone_contents_find_node(data->zone, ns_dname);
if (glue_node == NULL) {
/* Try wildcard ([1]* + suffix). */

16
tests/knot/semantic_check_data/glue_in_deleg.valid Normal file
View file

@ -0,0 +1,16 @@
$ORIGIN example.com.
$TTL 3600
@ IN SOA dns1.example.com. hostmaster.example.com. (
2010111217 ; serial
6h ; refresh
1h ; retry
1w ; expire
1d ) ; minimum
NS ns2.d
d NS ns1.d
ns1.d A 1.2.3.4
; glue below another delegation is not mandatory

1
tests/knot/test_semantic_check.in
View file

@ -132,6 +132,7 @@ test_correct "no_error_nsec3_delegation.signed"
test_correct "no_error_nsec3_optout.signed"
test_correct "glue_wildcard.valid"
test_correct "glue_no_foreign.valid"
test_correct "glue_in_deleg.valid"
test_correct "cdnskey.cds"
test_correct "cdnskey.delete.both"
test_correct "dname_apex_nsec3.signed"