upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-20 23:00:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

- Abide RFC5155 section 9.2: no AD flag for replies with NSEC3 optout.

Browse source 
git-svn-id: file:///svn/unbound/trunk@2233 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
Wouter Wijngaards 2010-09-15 07:08:09 +00:00
parent bf3c0e07d6
commit c3f180eebb
4 changed files with 14 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
doc/Changelog
View file

@ -1,3 +1,6 @@
15 September 2010: Wouter
- Abide RFC5155 section 9.2: no AD flag for replies with NSEC3 optout.
14 September 2010: Wouter 14 September 2010: Wouter
- increased mesh-max-activation from 1000 to 3000 for crazy domains - increased mesh-max-activation from 1000 to 3000 for crazy domains
like _tcp.slb.com with 262 servers. like _tcp.slb.com with 262 servers.

5
testdata/val_nsec3_optout_ad.rpl vendored
View file

@ -185,11 +185,12 @@ sub.example.com. IN DS
ENTRY_END ENTRY_END
; recursion happens here. ; recursion happens here.
; the same answer gives AD flag for DS, because the optout says no DS exists. ; no AD flag here because of RFC5155 9.2 section.
; even though we are sure there is no DS, this is what the RFC says.
STEP 30 CHECK_ANSWER STEP 30 CHECK_ANSWER
ENTRY_BEGIN ENTRY_BEGIN
MATCH all MATCH all
REPLY QR RD RA AD NOERROR REPLY QR RD RA NOERROR
SECTION QUESTION SECTION QUESTION
sub.example.com. IN DS sub.example.com. IN DS
SECTION ANSWER SECTION ANSWER

9
validator/val_nsec3.c
View file

@ -1179,10 +1179,8 @@ nsec3_do_prove_nodata(struct module_env* env, struct nsec3_filter* flt,
"-- no more options, bogus."); "-- no more options, bogus.");
return sec_status_bogus; return sec_status_bogus;
} }
/* the optout is a secure denial of DS records */ /* RFC5155 section 9.2: if nc has optout then no AD flag set */
if(qinfo->qtype != LDNS_RR_TYPE_DS) return sec_status_insecure;
return sec_status_insecure;
return sec_status_secure;
} }
enum sec_status enum sec_status
@ -1348,7 +1346,8 @@ nsec3_prove_nods(struct module_env* env, struct val_env* ve,
"DS NOERROR/NODATA case"; "DS NOERROR/NODATA case";
return sec_status_bogus; return sec_status_bogus;
} }
return sec_status_secure; /* RFC5155 section 9.2: if nc has optout then no AD flag set */
return sec_status_insecure;
} }
enum sec_status enum sec_status

5
validator/validator.c
View file

@ -2428,6 +2428,10 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
msg->rep->rrsets + msg->rep->an_numrrsets, msg->rep->rrsets + msg->rep->an_numrrsets,
msg->rep->ns_numrrsets, qinfo, vq->key_entry, &reason); msg->rep->ns_numrrsets, qinfo, vq->key_entry, &reason);
switch(sec) { switch(sec) {
case sec_status_insecure:
/* case insecure also continues to unsigned
* space. If nsec3-iter-count too high or
* optout, then treat below as unsigned */
case sec_status_secure: case sec_status_secure:
verbose(VERB_DETAIL, "NSEC3s for the " verbose(VERB_DETAIL, "NSEC3s for the "
"referral proved no DS."); "referral proved no DS.");
@ -2446,7 +2450,6 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
"referral did not prove no DS."); "referral did not prove no DS.");
errinf(qstate, reason); errinf(qstate, reason);
goto return_bogus; goto return_bogus;
case sec_status_insecure:
case sec_status_unchecked: case sec_status_unchecked:
default: default:
/* NSEC3 proof did not work */ /* NSEC3 proof did not work */