From 7e3fbe547a5fa61330d2545897e4047b93fdefd3 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Sat, 4 Jul 2015 10:53:31 +0200
Subject: [PATCH] Check NSEC3 CE to be without delegations

(no DNAME, no NS or, if NS then also SOA)
---
 src/dnssec.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/src/dnssec.c b/src/dnssec.c
index 01290958..1407274b 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -1313,6 +1313,26 @@ static int key_proves_nonexistance(
 
 			if (   (ce = rrset_iter_value(i))->rr_type
 					!= GETDNS_RRTYPE_NSEC3
+
+			    /* Get the bitmap rdata field */
+			    || !(nsec_rr = rrtype_iter_init(&nsec_spc, ce))
+			    || !(bitmap = priv_getdns_rdf_iter_init_at(
+					    &bitmap_spc, &nsec_rr->rr_i, 1))
+
+			    /* No DNAME or delegation point at the closest
+			     * encloser.
+			     *
+			     * TODO: Ask Wouter
+			     * Unbound val_nsec3:1024 finishes insecurely
+			     * here (instead of bogus) when DS is also missing.
+			     * Should we not have followed the delegation then
+			     * too?
+			     */
+			    || bitmap_has_type(bitmap, GETDNS_RRTYPE_DNAME)
+			    || (    bitmap_has_type(bitmap, GETDNS_RRTYPE_NS)
+			        && !bitmap_has_type(bitmap, GETDNS_RRTYPE_SOA)
+			       )
+
 			    || !nsec3_matches_name(ce, ce_name)
 			    || !a_key_signed_rrset(keyset, ce))
 				continue;