Merge branch 'fix-nsec-nonauth-skip' into 'master'

NSEC: fix skipping of non-authoritative nodes See merge request !428

Merge branch 'fix-nsec-nonauth-skip' into 'master'
20696e4b · Daniel Salzman · d0abe62d · 8ad34a41 · 20696e4b · 20696e4b
Commit 20696e4b authored 9 years ago by Daniel Salzman
--- a/src/knot/nameserver/nsec_proofs.c
+++ b/src/knot/nameserver/nsec_proofs.c
@@ -302,7 +302,7 @@ static int ns_put_nsec_wildcard(const zone_contents_t *zone,
 		previous = zone_contents_find_previous(zone, qname);
 		assert(previous != NULL);

-		while (previous->flags != NODE_FLAGS_AUTH) {
+		while (previous->flags & NODE_FLAGS_NONAUTH) {
 			previous = previous->prev;
 		}
 	}
@@ -490,7 +490,7 @@ static int ns_put_nsec_nxdomain(const knot_dname_t *qname,
 	if (previous == NULL) {
 		previous = zone_contents_find_previous(zone, qname);
 		assert(previous != NULL);
-		while (previous->flags != NODE_FLAGS_AUTH) {
+		while (previous->flags & NODE_FLAGS_NONAUTH) {
 			previous = previous->prev;
 		}
 	}
@@ -529,7 +529,7 @@ dbg_ns_exec_verb(
 	}

 	const zone_node_t *prev_new = zone_contents_find_previous(zone, wildcard);
-	while (prev_new->flags != NODE_FLAGS_AUTH) {
+	while (prev_new->flags & NODE_FLAGS_NONAUTH) {
 		prev_new = prev_new->prev;
 	}


--- a/tests-extra/data/example.zone
+++ b/tests-extra/data/example.zone
@@ -24,5 +24,14 @@ xx.example.	3600 IN A	192.0.2.10
 xx.example.	3600 IN HINFO	"KLH-10" "TOPS-20"
 xx.example.	3600 IN AAAA	2001:db8::f00:baaa
 x.w.example.	3600 IN MX	1 xx.example.
-*.to-apex.example. 3600 IN CNAME example. ; Wildcard expansion leading to apex
-*.to-nxdomain.example. 3600 IN CNAME nxdomain.example. ; Wildcard expansion leading to nonexistent name
+
+; Extra records (beyond the RFC)
+*.to-apex.example.	3600 IN CNAME example. ; Wildcard expansion leading to apex
+*.to-nxdomain.example.	3600 IN CNAME nxdomain.example. ; Wildcard expansion leading to nonexistent name
+
+\000.nsec-deleg.z.z.example.	3600 IN NS	ns1.a.example.
+;*.nsec-deleg.z.z.example.
+a.nsec-deleg.z.z.example.	3600 IN A	192.0.2.1
+;b.nsec-deleg.z.z.example.
+c.nsec-deleg.z.z.example.	3600 IN A	192.0.2.1
+
--- a/tests-extra/tests/basic/nsec/data/example.zone.nsec
+++ b/tests-extra/tests/basic/nsec/data/example.zone.nsec
--- a/tests-extra/tests/basic/nsec/test.py
+++ b/tests-extra/tests/basic/nsec/test.py
@@ -116,4 +116,9 @@ resp = knot.dig("y.w.example", "A", dnssec=True)
 resp.check(rcode="NOERROR", flags="QR AA", eflags="DO")
 resp.cmp(bind)

+# Wildcard NSEC with delegation boundary (Knot specific).
+resp = knot.dig("b.nsec-deleg.z.z.example", "A", dnssec=True)
+resp.check(rcode="NXDOMAIN", flags="QR AA", eflags="DO")
+resp.cmp(bind)
+
 t.end()