upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-20 23:00:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

- Use NSEC with longest ce to prove wildcard absence.

Browse source 
- Only use *.ce to prove wildcard absence, no longer names.


git-svn-id: file:///svn/unbound/trunk@4460 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
Ralph Dolmans 2018-01-29 13:46:57 +00:00
parent 942ced78ed
commit b9f4ff6e9f
3 changed files with 23 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
doc/Changelog
View file

@ -1,3 +1,7 @@
29 January 2018: Ralph
- Use NSEC with longest ce to prove wildcard absence.
- Only use *.ce to prove wildcard absence, no longer names.
25 January 2018: Wouter
- ltrace.conf file for libunbound in contrib.

7
validator/val_nsec.c
View file

@ -513,7 +513,6 @@ val_nsec_proves_no_wc(struct ub_packed_rrset_key* nsec, uint8_t* qname,
/* Determine if a NSEC record proves the non-existence of a
* wildcard that could have produced qname. */
int labs;
int i;
uint8_t* ce = nsec_closest_encloser(qname, nsec);
uint8_t* strip;
size_t striplen;
@ -526,13 +525,13 @@ val_nsec_proves_no_wc(struct ub_packed_rrset_key* nsec, uint8_t* qname,
* and next names. */
labs = dname_count_labels(qname) - dname_count_labels(ce);
for(i=labs; i>0; i--) {
if(labs > 0) {
/* i is number of labels to strip off qname, prepend * wild */
strip = qname;
striplen = qnamelen;
dname_remove_labels(&strip, &striplen, i);
dname_remove_labels(&strip, &striplen, labs);
if(striplen > LDNS_MAX_DOMAINLEN-2)
continue; /* too long to prepend wildcard */
return 0; /* too long to prepend wildcard */
buf[0] = 1;
buf[1] = (uint8_t)'*';
memmove(buf+2, strip, striplen);

19
validator/validator.c
View file

@ -944,6 +944,9 @@ validate_nameerror_response(struct module_env* env, struct val_env* ve,
int nsec3s_seen = 0;
struct ub_packed_rrset_key* s;
size_t i;
uint8_t* ce;
int ce_labs = 0;
int prev_ce_labs = 0;
for(i=chase_reply->an_numrrsets; i<chase_reply->an_numrrsets+
chase_reply->ns_numrrsets; i++) {
@ -951,9 +954,19 @@ validate_nameerror_response(struct module_env* env, struct val_env* ve,
if(ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC) {
if(val_nsec_proves_name_error(s, qchase->qname))
has_valid_nsec = 1;
if(val_nsec_proves_no_wc(s, qchase->qname,
qchase->qname_len))
has_valid_wnsec = 1;
ce = nsec_closest_encloser(qchase->qname, s);
ce_labs = dname_count_labels(ce);
/* Use longest closest encloser to prove wildcard. */
if(ce_labs > prev_ce_labs ||
(ce_labs == prev_ce_labs &&
has_valid_wnsec == 0)) {
if(val_nsec_proves_no_wc(s, qchase->qname,
qchase->qname_len))
has_valid_wnsec = 1;
else
has_valid_wnsec = 0;
}
prev_ce_labs = ce_labs;
if(val_nsec_proves_insecuredelegation(s, qchase)) {
verbose(VERB_ALGO, "delegation is insecure");
chase_reply->security = sec_status_insecure;