- Abide RFC5155 section 9.2: no AD flag for replies with NSEC3 optout.

git-svn-id: file:///svn/unbound/trunk@2233 be551aaa-1e26-0410-a405-d3ace91eadb9
2025-12-20 23:00:56 -05:00 · 2010-09-15 07:08:09 +00:00 · 2010-09-15 07:08:09 +00:00 · c3f180eebb
commit c3f180eebb
parent bf3c0e07d6
4 changed files with 14 additions and 8 deletions
--- a/doc/Changelog
+++ b/doc/Changelog
@ -1,3 +1,6 @@
+15 September 2010: Wouter
+	- Abide RFC5155 section 9.2: no AD flag for replies with NSEC3 optout.
+
 14 September 2010: Wouter
 	- increased mesh-max-activation from 1000 to 3000 for crazy domains
 	  like _tcp.slb.com with 262 servers.
--- a/testdata/val_nsec3_optout_ad.rpl
+++ b/testdata/val_nsec3_optout_ad.rpl
@ -185,11 +185,12 @@ sub.example.com. IN DS
 ENTRY_END

 ; recursion happens here.
-; the same answer gives AD flag for DS, because the optout says no DS exists.
+; no AD flag here because of RFC5155 9.2 section.
+; even though we are sure there is no DS, this is what the RFC says.
 STEP 30 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
-REPLY QR RD RA AD NOERROR
+REPLY QR RD RA NOERROR
 SECTION QUESTION
 sub.example.com. IN DS
 SECTION ANSWER
--- a/validator/val_nsec3.c
+++ b/validator/val_nsec3.c
@ -1179,10 +1179,8 @@ nsec3_do_prove_nodata(struct module_env* env, struct nsec3_filter* flt,
 			"-- no more options, bogus.");
 		return sec_status_bogus;
 	}
-	/* the optout is a secure denial of DS records */
-	if(qinfo->qtype != LDNS_RR_TYPE_DS)
+	/* RFC5155 section 9.2: if nc has optout then no AD flag set */
 	return sec_status_insecure;
-	return sec_status_secure;
 }

 enum sec_status
@ -1348,7 +1346,8 @@ nsec3_prove_nods(struct module_env* env, struct val_env* ve,
 			"DS NOERROR/NODATA case";
 		return sec_status_bogus;
 	}
-	return sec_status_secure;
+	/* RFC5155 section 9.2: if nc has optout then no AD flag set */
+	return sec_status_insecure;
 }

 enum sec_status
--- a/validator/validator.c
+++ b/validator/validator.c
@ -2428,6 +2428,10 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
 			msg->rep->rrsets + msg->rep->an_numrrsets,
 			msg->rep->ns_numrrsets, qinfo, vq->key_entry, &reason);
 		switch(sec) {
+			case sec_status_insecure:
+				/* case insecure also continues to unsigned
+				 * space.  If nsec3-iter-count too high or
+				 * optout, then treat below as unsigned */
 			case sec_status_secure:
 				verbose(VERB_DETAIL, "NSEC3s for the "
 					"referral proved no DS.");
@ -2446,7 +2450,6 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
 					"referral did not prove no DS.");
 				errinf(qstate, reason);
 				goto return_bogus;
-			case sec_status_insecure:
 			case sec_status_unchecked:
 			default:
 				/* NSEC3 proof did not work */