- Fix #1278: Incomplete wildcard proof.

git-svn-id: file:///svn/unbound/trunk@4218 be551aaa-1e26-0410-a405-d3ace91eadb9

doc/Changelog

@@ -1,3 +1,6 @@
+12 June 2017: Wouter
+	- Fix #1278: Incomplete wildcard proof.
+
 8 June 2017: Ralph
 	- Added domain name based ECS whitelist.
 

services/cache/dns.c

@@ -41,6 +41,7 @@
 #include "config.h"
 #include "iterator/iter_delegpt.h"
 #include "validator/val_nsec.h"
+#include "validator/val_utils.h"
 #include "services/cache/dns.h"
 #include "services/cache/rrset.h"
 #include "util/data/msgreply.h"
@@ -755,10 +756,16 @@ dns_cache_lookup(struct module_env* env,
 	if( qtype != LDNS_RR_TYPE_DS &&
 	   (rrset=rrset_cache_lookup(env->rrset_cache, qname, qnamelen, 
 		LDNS_RR_TYPE_CNAME, qclass, 0, now, 0))) {
-		struct dns_msg* msg = rrset_msg(rrset, region, now, &k);
+		uint8_t* wc = NULL;
-		if(msg) {
+		/* if the rrset is not a wildcard expansion, with wcname */
-			lock_rw_unlock(&rrset->entry.lock);
+		/* because, if we return that CNAME rrset on its own, it is
-			return msg;
+		 * missing the NSEC or NSEC3 proof */
+		if(!(val_rrset_wildcard(rrset, &wc) && wc != NULL)) {
+			struct dns_msg* msg = rrset_msg(rrset, region, now, &k);
+			if(msg) {
+				lock_rw_unlock(&rrset->entry.lock);
+				return msg;
+			}
 		}
 		lock_rw_unlock(&rrset->entry.lock);
 	}