layer/validate: NSEC3wild card answer response

4c3801ef · Karel Slaný · e79154a6 · 4c3801ef · 4c3801ef · 4c3801ef
Commit 4c3801ef authored 9 years ago by Karel Slaný
--- a/lib/dnssec/nsec.h
+++ b/lib/dnssec/nsec.h
@@ -65,7 +65,6 @@ int kr_nsec_wildcard_no_data_response_check(const knot_pkt_t *pkt, knot_section_

 /**
 * Wildcard answer response check (RFC4035 3.1.3.3).
- *
 * @param pkt        Packet structure to be processed.
 * @param section_id Packet section to be processed.
 * @param sname      Name to be checked.

--- a/lib/dnssec/nsec3.c
+++ b/lib/dnssec/nsec3.c
@@ -594,3 +594,34 @@ int kr_nsec3_wildcard_no_data_response_check(const knot_pkt_t *pkt, knot_section
 	}
 	return matches_closest_encloser_wildcard(pkt, section_id, encloser, stype);
 }
+
+int kr_nsec3_wildcard_answer_response_check(const knot_pkt_t *pkt, knot_section_t section_id,
+                                            const knot_dname_t *sname, int trim_to_next)
+{
+	const knot_pktsection_t *sec = knot_pkt_section(pkt, section_id);
+	if (!sec || !sname) {
+		return kr_error(EINVAL);
+	}
+
+	/* Compute the next closer name. */
+	for (int i = 0; i < trim_to_next; ++i) {
+		sname = knot_wire_next_label(sname, NULL);
+	}
+
+	int flags = 0;
+	for (unsigned i = 0; i < sec->count; ++i) {
+		const knot_rrset_t *rrset = knot_pkt_rr(sec, i);
+		if (rrset->type != KNOT_RRTYPE_NSEC3) {
+			continue;
+		}
+		int ret = covers_name(&flags, rrset, sname);
+		if (ret != 0) {
+			return ret;
+		}
+		if (flags & FLG_NAME_COVERED) {
+			return kr_ok();
+		}
+	}
+
+	return kr_error(ENOENT);
+}
--- a/lib/dnssec/nsec3.h
+++ b/lib/dnssec/nsec3.h
@@ -52,3 +52,14 @@ int kr_nsec3_no_data_response_check(const knot_pkt_t *pkt, knot_section_t sectio
 */
 int kr_nsec3_wildcard_no_data_response_check(const knot_pkt_t *pkt, knot_section_t section_id,
                                             const knot_dname_t *sname, uint16_t stype);
+
+/**
+ * Wildcard answer response check (RFC5155 7.2.6).
+ * @param pkt          Packet structure to be processed.
+ * @param section_id   Packet section to be processed.
+ * @param sname        Name to be checked.
+ * @param trim_to_next Number of labels to remove to obtain next closer name.
+ * @return             0 or error code.
+ */
+int kr_nsec3_wildcard_answer_response_check(const knot_pkt_t *pkt, knot_section_t section_id,
+                                            const knot_dname_t *sname, int trim_to_next);