- Fix no ADflag for NXDOMAIN in NSEC3 optout. And wildcard in optout.

git-svn-id: file:///svn/unbound/trunk@2397 be551aaa-1e26-0410-a405-d3ace91eadb9
2026-02-03 20:29:28 -05:00 · 2011-03-01 12:48:45 +00:00 · 2011-03-01 12:48:45 +00:00 · b4a089ff0d
commit b4a089ff0d
parent ee6f5c5b51
12 changed files with 83 additions and 11 deletions
--- a/doc/Changelog
+++ b/doc/Changelog
@ -1,3 +1,6 @@
+1 March 2011: Wouter
+	- Fix no ADflag for NXDOMAIN in NSEC3 optout. And wildcard in optout.
+
 24 February 2011: Wouter
 	- bug #361: Fix, time.elapsed variable not reset with stats_noreset.

--- a/testdata/val_nsec3_b1_nameerror.rpl
+++ b/testdata/val_nsec3_b1_nameerror.rpl
@ -112,7 +112,7 @@ ENTRY_END
 STEP 10 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
-REPLY QR RD RA AD NXDOMAIN
+REPLY QR RD RA NXDOMAIN
 SECTION QUESTION
 a.c.x.w.example. IN A
 SECTION ANSWER
--- a/testdata/val_nsec3_b1_nameerror_nowc.rpl
+++ b/testdata/val_nsec3_b1_nameerror_nowc.rpl
@ -136,6 +136,12 @@ SECTION QUESTION
 a.c.x.w.example. IN A
 SECTION ANSWER
 SECTION AUTHORITY
+; example.       SOA     ns1.example. bugs.x.w.example. 1 3600 300 ( 3600000 3600 )
+; example.        RRSIG   SOA 7 1 3600 20150420235959 20051021000000 ( 40430 example.  Hu25UIyNPmvPIVBrldN+9Mlp9Zql39qaUd8i q4ZLlYWfUUbbAS41pG+68z81q1xhkYAcEyHd VI2LmKusbZsT0Q== )
+; 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd ( 2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS SOA NSEC3PARAM RRSIG )
+; 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. RRSIG   NSEC3 7 2 3600 20150420235959 20051021000000 ( 40430 example.  OSgWSm26B+cS+dDL8b5QrWr/dEWhtCsKlwKL IBHYH6blRxK9rC0bMJPwQ4mLIuw85H2EY762 BOCXJZMnpuwhpA== )
+; b4um86eghhds6nea196smvmlo4ors995.example. NSEC3 1 1 12 aabbccdd ( gjeqe526plbf1g8mklp59enfd789njgi MX RRSIG )
+; b4um86eghhds6nea196smvmlo4ors995.example. RRSIG   NSEC3 7 2 3600 20150420235959 20051021000000 ( 40430 example.  ZkPG3M32lmoHM6pa3D6gZFGB/rhL//Bs3Omh 5u4m/CUiwtblEVOaAKKZd7S959OeiX43aLX3 pOv0TSTyiTxIZg== )
 SECTION ADDITIONAL
 ENTRY_END

--- a/testdata/val_nsec3_b4_wild.rpl
+++ b/testdata/val_nsec3_b4_wild.rpl
@ -130,7 +130,7 @@ ENTRY_END
 STEP 10 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
-REPLY QR RD RA AD NOERROR
+REPLY QR RD RA NOERROR
 SECTION QUESTION
 a.z.w.example. IN MX
 SECTION ANSWER
--- a/testdata/val_nsec3_cname_ds.rpl
+++ b/testdata/val_nsec3_cname_ds.rpl
@ -194,7 +194,7 @@ ENTRY_END
 STEP 10 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
-REPLY QR RD RA AD NOERROR
+REPLY QR RD RA NOERROR
 SECTION QUESTION
 www.sub.example.com. IN DS
 SECTION ANSWER
--- a/testdata/val_nsec3_cname_par.rpl
+++ b/testdata/val_nsec3_cname_par.rpl
@ -195,7 +195,7 @@ ENTRY_END
 STEP 10 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
-REPLY QR RD RA AD NOERROR
+REPLY QR RD RA NOERROR
 SECTION QUESTION
 www.sub.example.com. IN A
 SECTION ANSWER
--- a/testdata/val_nsec3_cname_sub.rpl
+++ b/testdata/val_nsec3_cname_sub.rpl
@ -201,7 +201,7 @@ ENTRY_END
 STEP 10 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
-REPLY QR RD RA AD NXDOMAIN
+REPLY QR RD RA NXDOMAIN
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
--- a/testdata/val_nsec3_optout_ad.rpl
+++ b/testdata/val_nsec3_optout_ad.rpl
@ -149,6 +149,29 @@ onib9mgub9h0rml3cdf5bgrj59dkjhvk.example.com.	3600	IN	RRSIG	NSEC3 7 3 3600 20070
 jg19n32806c832kijdnglq8p9m2r5mdj.example.com.	3600	IN	RRSIG	NSEC3 7 3 3600 20070926134150 20070829134150 57024 example.com. f7ZSCahAuKOLXquM0jpdU6I9AX31CgGicRiB3aU4jvqQp/EygbCNn5kfpyXY0FvZvzggpl8naXSStOPN9dy3bb0NwGQkJcYD94NEw307T8uEunOvx1ug5TuakBAwqjY8xKM3xab3LnWYRtx4zdln/3ZDHvBUwfzkxUZrzeKjpiI= ;{id = 57024}
 SECTION ADDITIONAL
 ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NXDOMAIN
+SECTION QUESTION
+rub.example.com. IN A
+SECTION ANSWER
+SECTION AUTHORITY
+example.com. IN SOA ns.example.com. noc.example.com. 2009310622 1800 900 604800 86400
+example.com.	3600	IN	RRSIG	SOA 7 2 3600 20070926134150 20070829134150 57024 example.com. HlyER7bYPiSJ9jdjjRBucQexYr932Oor1TvxSLPWw5fuWvr/fFitKVnLqC+lqBIeOby44KiDr0rIk+ZqYjWWKNjaLm5wMfhQzbsAgGTQxmO07jnYOGQG9SI6DSbR9GJdZ7imu5sx5oo5dze73MxgLMZIethGaFMkktYN53+AzG0= ;{id = 57024}
+
+; optout
+; example.com. -> onib9mgub9h0rml3cdf5bgrj59dkjhvk.
+; rub.example.com. -> c2bqk3tb4foaenfbp1v0pdk6mor3r7vo.
+; *.example.com. -> 4f3cnt8cu22tngec382jj4gde4rb47ub.
+onib9mgub9h0rml3cdf5bgrj59dkjhvk.example.com. NSEC3 1 1 0 - pnib9mgub9h0rml3cdf5bgrj59dkjhvk NS SOA RRSIG DNSKEY NSEC3PARAM
+22bqk3tb4foaenfbp1v0pdk6mor3r7vo.example.com. NSEC3 1 1 0 - f2bqk3tb4foaenfbp1v0pdk6mor3r7vo NS RRSIG
+
+onib9mgub9h0rml3cdf5bgrj59dkjhvk.example.com.	3600	IN	RRSIG	NSEC3 7 3 3600 20070926134150 20070829134150 57024 example.com. jHrF+lnyRL1LE/Bwz6C+jZg3E/2qQkVSboGxya6iX71v0zA3eUsob9m9l3gHNlhwhyahbamHUKx+OMvtYuzRa+RMv4ObuLRIt8StdixeXaUU+rx7C2qCKOFsa5q4HzK4bLYPfyb5T9w67HbzHPLEllXPA7tghzyzCM9qBtbvwK4= ;{id = 57024}
+22bqk3tb4foaenfbp1v0pdk6mor3r7vo.example.com.	3600	IN	RRSIG	NSEC3 7 3 3600 20070926134150 20070829134150 57024 example.com. jk6EYU9qTrmNeeKuQRG7iKyfNJnBt45MToPVpAQ+LoGDC3muy4bkWeKspj68cN9E5wNijfmm1eFK3khSSEnM50mfJbpiwlbKgL0VZz33Zn+Wu8b7sTtdDwDH7MUBLRwHeb7W+NtQIEXPLs4Z3BXHzAXy5ZpSjQ3PJZn6zBx4/dw= ;{id = 57024}
+SECTION ADDITIONAL
+ENTRY_END
 RANGE_END

 STEP 1 QUERY
@ -204,4 +227,31 @@ jg19n32806c832kijdnglq8p9m2r5mdj.example.com.   3600    IN      RRSIG   NSEC3 7
 SECTION ADDITIONAL
 ENTRY_END

+STEP 40 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+rub.example.com. IN A
+ENTRY_END
+
+; recursion happens here.
+; no AD flag here because of RFC5155 9.2 section.
+; also for NXDOMAIN
+STEP 50 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NXDOMAIN
+SECTION QUESTION
+rub.example.com. IN A
+SECTION ANSWER
+SECTION AUTHORITY
+example.com. IN SOA ns.example.com. noc.example.com. 2009310622 1800 900 604800 86400
+example.com.    3600    IN      RRSIG   SOA 7 2 3600 20070926134150 20070829134150 57024 example.com. HlyER7bYPiSJ9jdjjRBucQexYr932Oor1TvxSLPWw5fuWvr/fFitKVnLqC+lqBIeOby44KiDr0rIk+ZqYjWWKNjaLm5wMfhQzbsAgGTQxmO07jnYOGQG9SI6DSbR9GJdZ7imu5sx5oo5dze73MxgLMZIethGaFMkktYN53+AzG0= ;{id = 57024}
+onib9mgub9h0rml3cdf5bgrj59dkjhvk.example.com. NSEC3 1 1 0 - pnib9mgub9h0rml3cdf5bgrj59dkjhvk NS SOA RRSIG DNSKEY NSEC3PARAM
+onib9mgub9h0rml3cdf5bgrj59dkjhvk.example.com.   3600    IN      RRSIG   NSEC3 7 3 3600 20070926134150 20070829134150 57024 example.com. jHrF+lnyRL1LE/Bwz6C+jZg3E/2qQkVSboGxya6iX71v0zA3eUsob9m9l3gHNlhwhyahbamHUKx+OMvtYuzRa+RMv4ObuLRIt8StdixeXaUU+rx7C2qCKOFsa5q4HzK4bLYPfyb5T9w67HbzHPLEllXPA7tghzyzCM9qBtbvwK4= ;{id = 57024}
+22bqk3tb4foaenfbp1v0pdk6mor3r7vo.example.com. NSEC3 1 1 0 - f2bqk3tb4foaenfbp1v0pdk6mor3r7vo NS RRSIG
+22bqk3tb4foaenfbp1v0pdk6mor3r7vo.example.com.	3600	IN	RRSIG	NSEC3 7 3 3600 20070926134150 20070829134150 57024 example.com. jk6EYU9qTrmNeeKuQRG7iKyfNJnBt45MToPVpAQ+LoGDC3muy4bkWeKspj68cN9E5wNijfmm1eFK3khSSEnM50mfJbpiwlbKgL0VZz33Zn+Wu8b7sTtdDwDH7MUBLRwHeb7W+NtQIEXPLs4Z3BXHzAXy5ZpSjQ3PJZn6zBx4/dw= ;{id = 57024}
+SECTION ADDITIONAL
+ENTRY_END
+
 SCENARIO_END
--- a/testdata/val_nsec3_wcany.rpl
+++ b/testdata/val_nsec3_wcany.rpl
@ -140,7 +140,7 @@ ENTRY_END
 STEP 10 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
-REPLY QR RD RA AD NOERROR
+REPLY QR RD RA NOERROR
 SECTION QUESTION
 www.example.com. IN ANY
 SECTION ANSWER
--- a/testdata/val_nx_nsec3_collision.rpl
+++ b/testdata/val_nx_nsec3_collision.rpl
@ -156,7 +156,7 @@ ENTRY_END
 STEP 10 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
-REPLY QR RD RA AD NXDOMAIN
+REPLY QR RD RA NXDOMAIN
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
--- a/testdata/val_nx_nsec3_params.rpl
+++ b/testdata/val_nx_nsec3_params.rpl
@ -141,7 +141,7 @@ ENTRY_END
 STEP 10 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
-REPLY QR RD RA AD NXDOMAIN
+REPLY QR RD RA NXDOMAIN
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
--- a/validator/val_nsec3.c
+++ b/validator/val_nsec3.c
@ -1055,6 +1055,11 @@ nsec3_do_prove_nameerror(struct module_env* env, struct nsec3_filter* flt,
 			"that the applicable wildcard did not exist.");
 		return sec_status_bogus;
 	}
+
+	if(ce.nc_rrset && nsec3_has_optout(ce.nc_rrset, ce.nc_rr)) {
+		verbose(VERB_ALGO, "nsec3 nameerror proof: nc has optout");
+		return sec_status_insecure;
+	}
 	return sec_status_secure;
 }

@ -1264,6 +1269,10 @@ nsec3_prove_wildcard(struct module_env* env, struct val_env* ve,
 			"NSEC3 that covered the next closer name.");
 		return sec_status_bogus;
 	}
+	if(ce.nc_rrset && nsec3_has_optout(ce.nc_rrset, ce.nc_rr)) {
+		verbose(VERB_ALGO, "proveWildcard: NSEC3 optout");
+		return sec_status_insecure;
+	}
 	return sec_status_secure;
 }

@ -1381,7 +1390,7 @@ nsec3_prove_nxornodata(struct module_env* env, struct val_env* ve,
 	struct ub_packed_rrset_key** list, size_t num, 
 	struct query_info* qinfo, struct key_entry_key* kkey, int* nodata)
 {
-	enum sec_status sec;
+	enum sec_status sec, secnx;
 	rbtree_t ct;
 	struct nsec3_filter flt;
 	*nodata = 0;
@ -1398,12 +1407,16 @@ nsec3_prove_nxornodata(struct module_env* env, struct val_env* ve,
 	/* try nxdomain and nodata after another, while keeping the
 	 * hash cache intact */

-	sec = nsec3_do_prove_nameerror(env, &flt, &ct, qinfo);
-	if(sec==sec_status_secure)
+	secnx = nsec3_do_prove_nameerror(env, &flt, &ct, qinfo);
+	if(secnx==sec_status_secure)
 		return sec_status_secure;
 	sec = nsec3_do_prove_nodata(env, &flt, &ct, qinfo);
 	if(sec==sec_status_secure) {
 		*nodata = 1;
+	} else if(sec == sec_status_insecure) {
+		*nodata = 1;
+	} else if(secnx == sec_status_insecure) {
+		sec = sec_status_insecure;
 	}
 	return sec;
 }