Check NSEC3 CE to be without delegations

(no DNAME, no NS or, if NS then also SOA)
2015-07-04 10:53:31 +02:00 · 2015-07-04 10:53:31 +02:00 · 7e3fbe547a
parent f59b32414c
commit 7e3fbe547a
1 changed files with 20 additions and 0 deletions
--- a/src/dnssec.c
+++ b/src/dnssec.c
@ -1313,6 +1313,26 @@ static int key_proves_nonexistance(

 			if (   (ce = rrset_iter_value(i))->rr_type
 					!= GETDNS_RRTYPE_NSEC3
+
+			    /* Get the bitmap rdata field */
+			    || !(nsec_rr = rrtype_iter_init(&nsec_spc, ce))
+			    || !(bitmap = priv_getdns_rdf_iter_init_at(
+					    &bitmap_spc, &nsec_rr->rr_i, 1))
+
+			    /* No DNAME or delegation point at the closest
+			     * encloser.
+			     *
+			     * TODO: Ask Wouter
+			     * Unbound val_nsec3:1024 finishes insecurely
+			     * here (instead of bogus) when DS is also missing.
+			     * Should we not have followed the delegation then
+			     * too?
+			     */
+			    || bitmap_has_type(bitmap, GETDNS_RRTYPE_DNAME)
+			    || (    bitmap_has_type(bitmap, GETDNS_RRTYPE_NS)
+			        && !bitmap_has_type(bitmap, GETDNS_RRTYPE_SOA)
+			       )
+
 			    || !nsec3_matches_name(ce, ce_name)
 			    || !a_key_signed_rrset(keyset, ce))
 				continue;