diff --git a/doc/Changelog b/doc/Changelog index 344e804a1..e4769ae97 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +1 March 2011: Wouter + - Fix no ADflag for NXDOMAIN in NSEC3 optout. And wildcard in optout. + 24 February 2011: Wouter - bug #361: Fix, time.elapsed variable not reset with stats_noreset. diff --git a/testdata/val_nsec3_b1_nameerror.rpl b/testdata/val_nsec3_b1_nameerror.rpl index 784b7e6b3..b7c300cca 100644 --- a/testdata/val_nsec3_b1_nameerror.rpl +++ b/testdata/val_nsec3_b1_nameerror.rpl @@ -112,7 +112,7 @@ ENTRY_END STEP 10 CHECK_ANSWER ENTRY_BEGIN MATCH all -REPLY QR RD RA AD NXDOMAIN +REPLY QR RD RA NXDOMAIN SECTION QUESTION a.c.x.w.example. IN A SECTION ANSWER diff --git a/testdata/val_nsec3_b1_nameerror_nowc.rpl b/testdata/val_nsec3_b1_nameerror_nowc.rpl index 925db1df3..bf4d22321 100644 --- a/testdata/val_nsec3_b1_nameerror_nowc.rpl +++ b/testdata/val_nsec3_b1_nameerror_nowc.rpl @@ -136,6 +136,12 @@ SECTION QUESTION a.c.x.w.example. IN A SECTION ANSWER SECTION AUTHORITY +; example. SOA ns1.example. bugs.x.w.example. 1 3600 300 ( 3600000 3600 ) +; example. RRSIG SOA 7 1 3600 20150420235959 20051021000000 ( 40430 example. Hu25UIyNPmvPIVBrldN+9Mlp9Zql39qaUd8i q4ZLlYWfUUbbAS41pG+68z81q1xhkYAcEyHd VI2LmKusbZsT0Q== ) +; 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd ( 2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS SOA NSEC3PARAM RRSIG ) +; 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 ( 40430 example. OSgWSm26B+cS+dDL8b5QrWr/dEWhtCsKlwKL IBHYH6blRxK9rC0bMJPwQ4mLIuw85H2EY762 BOCXJZMnpuwhpA== ) +; b4um86eghhds6nea196smvmlo4ors995.example. NSEC3 1 1 12 aabbccdd ( gjeqe526plbf1g8mklp59enfd789njgi MX RRSIG ) +; b4um86eghhds6nea196smvmlo4ors995.example. RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 ( 40430 example. ZkPG3M32lmoHM6pa3D6gZFGB/rhL//Bs3Omh 5u4m/CUiwtblEVOaAKKZd7S959OeiX43aLX3 pOv0TSTyiTxIZg== ) SECTION ADDITIONAL ENTRY_END diff --git a/testdata/val_nsec3_b4_wild.rpl b/testdata/val_nsec3_b4_wild.rpl index ed769f96f..4da066c4e 100644 --- a/testdata/val_nsec3_b4_wild.rpl +++ b/testdata/val_nsec3_b4_wild.rpl @@ -130,7 +130,7 @@ ENTRY_END STEP 10 CHECK_ANSWER ENTRY_BEGIN MATCH all -REPLY QR RD RA AD NOERROR +REPLY QR RD RA NOERROR SECTION QUESTION a.z.w.example. IN MX SECTION ANSWER diff --git a/testdata/val_nsec3_cname_ds.rpl b/testdata/val_nsec3_cname_ds.rpl index 8fe369788..34c167856 100644 --- a/testdata/val_nsec3_cname_ds.rpl +++ b/testdata/val_nsec3_cname_ds.rpl @@ -194,7 +194,7 @@ ENTRY_END STEP 10 CHECK_ANSWER ENTRY_BEGIN MATCH all -REPLY QR RD RA AD NOERROR +REPLY QR RD RA NOERROR SECTION QUESTION www.sub.example.com. IN DS SECTION ANSWER diff --git a/testdata/val_nsec3_cname_par.rpl b/testdata/val_nsec3_cname_par.rpl index 39ab0ca4c..7bd0a1a2b 100644 --- a/testdata/val_nsec3_cname_par.rpl +++ b/testdata/val_nsec3_cname_par.rpl @@ -195,7 +195,7 @@ ENTRY_END STEP 10 CHECK_ANSWER ENTRY_BEGIN MATCH all -REPLY QR RD RA AD NOERROR +REPLY QR RD RA NOERROR SECTION QUESTION www.sub.example.com. IN A SECTION ANSWER diff --git a/testdata/val_nsec3_cname_sub.rpl b/testdata/val_nsec3_cname_sub.rpl index 8cc0ee7b1..8babfad37 100644 --- a/testdata/val_nsec3_cname_sub.rpl +++ b/testdata/val_nsec3_cname_sub.rpl @@ -201,7 +201,7 @@ ENTRY_END STEP 10 CHECK_ANSWER ENTRY_BEGIN MATCH all -REPLY QR RD RA AD NXDOMAIN +REPLY QR RD RA NXDOMAIN SECTION QUESTION www.example.com. IN A SECTION ANSWER diff --git a/testdata/val_nsec3_optout_ad.rpl b/testdata/val_nsec3_optout_ad.rpl index 50d6fe099..649df2d77 100644 --- a/testdata/val_nsec3_optout_ad.rpl +++ b/testdata/val_nsec3_optout_ad.rpl @@ -149,6 +149,29 @@ onib9mgub9h0rml3cdf5bgrj59dkjhvk.example.com. 3600 IN RRSIG NSEC3 7 3 3600 20070 jg19n32806c832kijdnglq8p9m2r5mdj.example.com. 3600 IN RRSIG NSEC3 7 3 3600 20070926134150 20070829134150 57024 example.com. f7ZSCahAuKOLXquM0jpdU6I9AX31CgGicRiB3aU4jvqQp/EygbCNn5kfpyXY0FvZvzggpl8naXSStOPN9dy3bb0NwGQkJcYD94NEw307T8uEunOvx1ug5TuakBAwqjY8xKM3xab3LnWYRtx4zdln/3ZDHvBUwfzkxUZrzeKjpiI= ;{id = 57024} SECTION ADDITIONAL ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NXDOMAIN +SECTION QUESTION +rub.example.com. IN A +SECTION ANSWER +SECTION AUTHORITY +example.com. IN SOA ns.example.com. noc.example.com. 2009310622 1800 900 604800 86400 +example.com. 3600 IN RRSIG SOA 7 2 3600 20070926134150 20070829134150 57024 example.com. HlyER7bYPiSJ9jdjjRBucQexYr932Oor1TvxSLPWw5fuWvr/fFitKVnLqC+lqBIeOby44KiDr0rIk+ZqYjWWKNjaLm5wMfhQzbsAgGTQxmO07jnYOGQG9SI6DSbR9GJdZ7imu5sx5oo5dze73MxgLMZIethGaFMkktYN53+AzG0= ;{id = 57024} + +; optout +; example.com. -> onib9mgub9h0rml3cdf5bgrj59dkjhvk. +; rub.example.com. -> c2bqk3tb4foaenfbp1v0pdk6mor3r7vo. +; *.example.com. -> 4f3cnt8cu22tngec382jj4gde4rb47ub. +onib9mgub9h0rml3cdf5bgrj59dkjhvk.example.com. NSEC3 1 1 0 - pnib9mgub9h0rml3cdf5bgrj59dkjhvk NS SOA RRSIG DNSKEY NSEC3PARAM +22bqk3tb4foaenfbp1v0pdk6mor3r7vo.example.com. NSEC3 1 1 0 - f2bqk3tb4foaenfbp1v0pdk6mor3r7vo NS RRSIG + +onib9mgub9h0rml3cdf5bgrj59dkjhvk.example.com. 3600 IN RRSIG NSEC3 7 3 3600 20070926134150 20070829134150 57024 example.com. jHrF+lnyRL1LE/Bwz6C+jZg3E/2qQkVSboGxya6iX71v0zA3eUsob9m9l3gHNlhwhyahbamHUKx+OMvtYuzRa+RMv4ObuLRIt8StdixeXaUU+rx7C2qCKOFsa5q4HzK4bLYPfyb5T9w67HbzHPLEllXPA7tghzyzCM9qBtbvwK4= ;{id = 57024} +22bqk3tb4foaenfbp1v0pdk6mor3r7vo.example.com. 3600 IN RRSIG NSEC3 7 3 3600 20070926134150 20070829134150 57024 example.com. jk6EYU9qTrmNeeKuQRG7iKyfNJnBt45MToPVpAQ+LoGDC3muy4bkWeKspj68cN9E5wNijfmm1eFK3khSSEnM50mfJbpiwlbKgL0VZz33Zn+Wu8b7sTtdDwDH7MUBLRwHeb7W+NtQIEXPLs4Z3BXHzAXy5ZpSjQ3PJZn6zBx4/dw= ;{id = 57024} +SECTION ADDITIONAL +ENTRY_END RANGE_END STEP 1 QUERY @@ -204,4 +227,31 @@ jg19n32806c832kijdnglq8p9m2r5mdj.example.com. 3600 IN RRSIG NSEC3 7 SECTION ADDITIONAL ENTRY_END +STEP 40 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +rub.example.com. IN A +ENTRY_END + +; recursion happens here. +; no AD flag here because of RFC5155 9.2 section. +; also for NXDOMAIN +STEP 50 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NXDOMAIN +SECTION QUESTION +rub.example.com. IN A +SECTION ANSWER +SECTION AUTHORITY +example.com. IN SOA ns.example.com. noc.example.com. 2009310622 1800 900 604800 86400 +example.com. 3600 IN RRSIG SOA 7 2 3600 20070926134150 20070829134150 57024 example.com. HlyER7bYPiSJ9jdjjRBucQexYr932Oor1TvxSLPWw5fuWvr/fFitKVnLqC+lqBIeOby44KiDr0rIk+ZqYjWWKNjaLm5wMfhQzbsAgGTQxmO07jnYOGQG9SI6DSbR9GJdZ7imu5sx5oo5dze73MxgLMZIethGaFMkktYN53+AzG0= ;{id = 57024} +onib9mgub9h0rml3cdf5bgrj59dkjhvk.example.com. NSEC3 1 1 0 - pnib9mgub9h0rml3cdf5bgrj59dkjhvk NS SOA RRSIG DNSKEY NSEC3PARAM +onib9mgub9h0rml3cdf5bgrj59dkjhvk.example.com. 3600 IN RRSIG NSEC3 7 3 3600 20070926134150 20070829134150 57024 example.com. jHrF+lnyRL1LE/Bwz6C+jZg3E/2qQkVSboGxya6iX71v0zA3eUsob9m9l3gHNlhwhyahbamHUKx+OMvtYuzRa+RMv4ObuLRIt8StdixeXaUU+rx7C2qCKOFsa5q4HzK4bLYPfyb5T9w67HbzHPLEllXPA7tghzyzCM9qBtbvwK4= ;{id = 57024} +22bqk3tb4foaenfbp1v0pdk6mor3r7vo.example.com. NSEC3 1 1 0 - f2bqk3tb4foaenfbp1v0pdk6mor3r7vo NS RRSIG +22bqk3tb4foaenfbp1v0pdk6mor3r7vo.example.com. 3600 IN RRSIG NSEC3 7 3 3600 20070926134150 20070829134150 57024 example.com. jk6EYU9qTrmNeeKuQRG7iKyfNJnBt45MToPVpAQ+LoGDC3muy4bkWeKspj68cN9E5wNijfmm1eFK3khSSEnM50mfJbpiwlbKgL0VZz33Zn+Wu8b7sTtdDwDH7MUBLRwHeb7W+NtQIEXPLs4Z3BXHzAXy5ZpSjQ3PJZn6zBx4/dw= ;{id = 57024} +SECTION ADDITIONAL +ENTRY_END + SCENARIO_END diff --git a/testdata/val_nsec3_wcany.rpl b/testdata/val_nsec3_wcany.rpl index 817f41ac2..ba8ce2c3c 100644 --- a/testdata/val_nsec3_wcany.rpl +++ b/testdata/val_nsec3_wcany.rpl @@ -140,7 +140,7 @@ ENTRY_END STEP 10 CHECK_ANSWER ENTRY_BEGIN MATCH all -REPLY QR RD RA AD NOERROR +REPLY QR RD RA NOERROR SECTION QUESTION www.example.com. IN ANY SECTION ANSWER diff --git a/testdata/val_nx_nsec3_collision.rpl b/testdata/val_nx_nsec3_collision.rpl index 92df57726..60ddb1c64 100644 --- a/testdata/val_nx_nsec3_collision.rpl +++ b/testdata/val_nx_nsec3_collision.rpl @@ -156,7 +156,7 @@ ENTRY_END STEP 10 CHECK_ANSWER ENTRY_BEGIN MATCH all -REPLY QR RD RA AD NXDOMAIN +REPLY QR RD RA NXDOMAIN SECTION QUESTION www.example.com. IN A SECTION ANSWER diff --git a/testdata/val_nx_nsec3_params.rpl b/testdata/val_nx_nsec3_params.rpl index 2303555f6..f25245a0b 100644 --- a/testdata/val_nx_nsec3_params.rpl +++ b/testdata/val_nx_nsec3_params.rpl @@ -141,7 +141,7 @@ ENTRY_END STEP 10 CHECK_ANSWER ENTRY_BEGIN MATCH all -REPLY QR RD RA AD NXDOMAIN +REPLY QR RD RA NXDOMAIN SECTION QUESTION www.example.com. IN A SECTION ANSWER diff --git a/validator/val_nsec3.c b/validator/val_nsec3.c index 4666cebb6..1be921c1b 100644 --- a/validator/val_nsec3.c +++ b/validator/val_nsec3.c @@ -1055,6 +1055,11 @@ nsec3_do_prove_nameerror(struct module_env* env, struct nsec3_filter* flt, "that the applicable wildcard did not exist."); return sec_status_bogus; } + + if(ce.nc_rrset && nsec3_has_optout(ce.nc_rrset, ce.nc_rr)) { + verbose(VERB_ALGO, "nsec3 nameerror proof: nc has optout"); + return sec_status_insecure; + } return sec_status_secure; } @@ -1264,6 +1269,10 @@ nsec3_prove_wildcard(struct module_env* env, struct val_env* ve, "NSEC3 that covered the next closer name."); return sec_status_bogus; } + if(ce.nc_rrset && nsec3_has_optout(ce.nc_rrset, ce.nc_rr)) { + verbose(VERB_ALGO, "proveWildcard: NSEC3 optout"); + return sec_status_insecure; + } return sec_status_secure; } @@ -1381,7 +1390,7 @@ nsec3_prove_nxornodata(struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key** list, size_t num, struct query_info* qinfo, struct key_entry_key* kkey, int* nodata) { - enum sec_status sec; + enum sec_status sec, secnx; rbtree_t ct; struct nsec3_filter flt; *nodata = 0; @@ -1398,12 +1407,16 @@ nsec3_prove_nxornodata(struct module_env* env, struct val_env* ve, /* try nxdomain and nodata after another, while keeping the * hash cache intact */ - sec = nsec3_do_prove_nameerror(env, &flt, &ct, qinfo); - if(sec==sec_status_secure) + secnx = nsec3_do_prove_nameerror(env, &flt, &ct, qinfo); + if(secnx==sec_status_secure) return sec_status_secure; sec = nsec3_do_prove_nodata(env, &flt, &ct, qinfo); if(sec==sec_status_secure) { *nodata = 1; + } else if(sec == sec_status_insecure) { + *nodata = 1; + } else if(secnx == sec_status_insecure) { + sec = sec_status_insecure; } return sec; }