layer/validate: fixed possible bug in NSEC checking code

7994aed6 · Karel Slaný · 497a579a · 7994aed6 · 7994aed6
Commit 7994aed6 authored 9 years ago by Karel Slaný
--- a/lib/dnssec/nsec.c
+++ b/lib/dnssec/nsec.c
@@ -76,8 +76,8 @@ static int nsec_nonamematch(const knot_rrset_t *nsec, const knot_dname_t *sname)

 #define FLG_NOEXIST_RRTYPE 0x01 /**< <SNAME, SCLASS> exists, <SNAME, SCLASS, STYPE> does not exist. */
 #define FLG_NOEXIST_RRSET  0x02 /**< <SNAME, SCLASS> does not exist. */
-#define FLG_NOEXIST_WILDCARD 0x03 /**< No wildcard covering <SNAME, SCLASS> exists. */
-#define FLG_NOEXIST_CLOSER 0x04 /**< Wildcard covering <SNAME, SCLASS> exists, but doesn't match STYPE. */
+#define FLG_NOEXIST_WILDCARD 0x04 /**< No wildcard covering <SNAME, SCLASS> exists. */
+#define FLG_NOEXIST_CLOSER 0x08 /**< Wildcard covering <SNAME, SCLASS> exists, but doesn't match STYPE. */

 /**
 * According to set flags determine whether authenticated denial of existence has been proven.

--- a/lib/layer/validate.c
+++ b/lib/layer/validate.c
@@ -343,7 +343,7 @@ static int validate(knot_layer_t *ctx, knot_pkt_t *pkt)
 	if (knot_wire_get_rcode(pkt->wire) == KNOT_RCODE_NXDOMAIN) {
 #warning TODO: validate NSECx proof, RRSIGs will be checked later if it matches
 		if (!has_nsec3) {
-			ret = kr_nsec_existence_denial(pkt, KNOT_AUTHORITY, qry->sname, qry->stype, &req->pool);
+			ret = kr_nsec_name_error_response_check(pkt, KNOT_AUTHORITY, qry->sname, &req->pool);
 		} else {
 			ret = kr_nsec3_name_error_response_check(pkt, KNOT_AUTHORITY, qry->sname, &req->pool);
 			/* TODO */