- Fix for zonemd, that nxdomain for the chain of trust is allowed

for island zones, it is treates as an insecure zone for verification.
2025-12-20 14:53:15 -05:00 · 2021-02-22 17:32:40 +01:00 · 2021-02-22 17:32:40 +01:00 · 131d38f8f2
commit 131d38f8f2
parent 40fbc3fa8a
2 changed files with 28 additions and 0 deletions
--- a/doc/Changelog
+++ b/doc/Changelog
@ -1,6 +1,8 @@
 22 February 2021: Wouter
 	- Fix #431: Squelch permission denied errors for tcp connect
 	  and udp connect from the logs, unless at high verbosity.
+	- Fix for zonemd, that nxdomain for the chain of trust is allowed
+	  for island zones, it is treates as an insecure zone for verification.

 18 February 2021: Wouter
 	- Merge PR #317: ZONEMD Zone Verification, with RFC 8976 support.
--- a/services/authzone.c
+++ b/services/authzone.c
@ -8117,6 +8117,32 @@ void auth_zonemd_dnskey_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
 					"zonemd lookup of DNSKEY has nodata");
 				reason = "lookup of DNSKEY has nodata";
 			}
+		} else if(rep && rq.qtype == wanted_qtype &&
+			query_dname_compare(z->name, rq.qname) == 0 &&
+			FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN &&
+			sec == sec_status_secure) {
+			/* secure nxdomain, so the zone is like some RPZ zone
+			 * that does not exist in the wider internet, with
+			 * a secure nxdomain answer outside of it. So we
+			 * treat the zonemd zone without a dnssec chain of
+			 * trust, as insecure. */
+			is_insecure = 1;
+			auth_zone_log(z->name, VERB_ALGO,
+				"zonemd lookup of DNSKEY was secure NXDOMAIN, treat as insecure");
+		} else if(rep && rq.qtype == wanted_qtype &&
+			query_dname_compare(z->name, rq.qname) == 0 &&
+			FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN &&
+			sec == sec_status_insecure) {
+			is_insecure = 1;
+			auth_zone_log(z->name, VERB_ALGO,
+				"zonemd lookup of DNSKEY was insecure NXDOMAIN, treat as insecure");
+		} else if(rep && rq.qtype == wanted_qtype &&
+			query_dname_compare(z->name, rq.qname) == 0 &&
+			FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN &&
+			sec == sec_status_indeterminate) {
+			is_insecure = 1;
+			auth_zone_log(z->name, VERB_ALGO,
+				"zonemd lookup of DNSKEY was indeterminate NXDOMAIN, treat as insecure");
 		} else {
 			auth_zone_log(z->name, VERB_ALGO,
 				"zonemd lookup of DNSKEY has no answer");