Commit 20696e4b authored by Daniel Salzman's avatar Daniel Salzman
Browse files

Merge branch 'fix-nsec-nonauth-skip' into 'master'

NSEC: fix skipping of non-authoritative nodes

See merge request !428
parents d0abe62d 8ad34a41
......@@ -302,7 +302,7 @@ static int ns_put_nsec_wildcard(const zone_contents_t *zone,
previous = zone_contents_find_previous(zone, qname);
assert(previous != NULL);
while (previous->flags != NODE_FLAGS_AUTH) {
while (previous->flags & NODE_FLAGS_NONAUTH) {
previous = previous->prev;
}
}
......@@ -490,7 +490,7 @@ static int ns_put_nsec_nxdomain(const knot_dname_t *qname,
if (previous == NULL) {
previous = zone_contents_find_previous(zone, qname);
assert(previous != NULL);
while (previous->flags != NODE_FLAGS_AUTH) {
while (previous->flags & NODE_FLAGS_NONAUTH) {
previous = previous->prev;
}
}
......@@ -529,7 +529,7 @@ dbg_ns_exec_verb(
}
const zone_node_t *prev_new = zone_contents_find_previous(zone, wildcard);
while (prev_new->flags != NODE_FLAGS_AUTH) {
while (prev_new->flags & NODE_FLAGS_NONAUTH) {
prev_new = prev_new->prev;
}
......
......@@ -24,5 +24,14 @@ xx.example. 3600 IN A 192.0.2.10
xx.example. 3600 IN HINFO "KLH-10" "TOPS-20"
xx.example. 3600 IN AAAA 2001:db8::f00:baaa
x.w.example. 3600 IN MX 1 xx.example.
*.to-apex.example. 3600 IN CNAME example. ; Wildcard expansion leading to apex
*.to-nxdomain.example. 3600 IN CNAME nxdomain.example. ; Wildcard expansion leading to nonexistent name
; Extra records (beyond the RFC)
*.to-apex.example. 3600 IN CNAME example. ; Wildcard expansion leading to apex
*.to-nxdomain.example. 3600 IN CNAME nxdomain.example. ; Wildcard expansion leading to nonexistent name
\000.nsec-deleg.z.z.example. 3600 IN NS ns1.a.example.
;*.nsec-deleg.z.z.example.
a.nsec-deleg.z.z.example. 3600 IN A 192.0.2.1
;b.nsec-deleg.z.z.example.
c.nsec-deleg.z.z.example. 3600 IN A 192.0.2.1
......@@ -116,4 +116,9 @@ resp = knot.dig("y.w.example", "A", dnssec=True)
resp.check(rcode="NOERROR", flags="QR AA", eflags="DO")
resp.cmp(bind)
# Wildcard NSEC with delegation boundary (Knot specific).
resp = knot.dig("b.nsec-deleg.z.z.example", "A", dnssec=True)
resp.check(rcode="NXDOMAIN", flags="QR AA", eflags="DO")
resp.cmp(bind)
t.end()
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment