Merge branch 'kzonecheck_optout_ent' into 'master'

kzonecheck/NSEC3: correctly check opt-outed empty-non-terminals

See merge request !1259

src/knot/zone/semantic-check.c

-/*  Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+/*  Copyright (C) 2021 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
 
     This program is free software: you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -839,6 +839,11 @@ static int check_nsec(const zone_node_t *node, semchecks_data_t *data)
 	return KNOT_EOK;
 }
 
+static bool nsec3_optout_allow(const zone_node_t *node)
+{
+	return (node->flags & NODE_FLAGS_DELEG) && !node_rrtype_exists(node, KNOT_RRTYPE_DS);
+}
+
 /*!
  * \brief Check if node has NSEC3 node.
  *
@@ -848,9 +853,9 @@ static int check_nsec(const zone_node_t *node, semchecks_data_t *data)
 static int check_nsec3_presence(const zone_node_t *node, semchecks_data_t *data)
 {
 	bool auth = (node->flags & NODE_FLAGS_NONAUTH) == 0;
-	bool deleg = (node->flags & NODE_FLAGS_DELEG) != 0;
+	bool empty = (node->flags & NODE_FLAGS_EMPTY) != 0;
 
-	if ((deleg && node_rrtype_exists(node, KNOT_RRTYPE_DS)) || (auth && !deleg)) {
+	if (!nsec3_optout_allow(node) && auth && !empty) {
 		if (node_nsec3_get(node) == NULL) {
 			data->handler->cb(data->handler, data->zone, node,
 			                  SEM_ERR_NSEC3_NONE, NULL);
@@ -868,7 +873,7 @@ static int check_nsec3_presence(const zone_node_t *node, semchecks_data_t *data)
  */
 static int check_nsec3_opt_out(const zone_node_t *node, semchecks_data_t *data)
 {
-	if (!(node_nsec3_get(node) == NULL && node->flags & NODE_FLAGS_DELEG)) {
+	if (!(node_nsec3_get(node) == NULL && node->flags & (NODE_FLAGS_DELEG | NODE_FLAGS_EMPTY))) {
 		return KNOT_EOK;
 	}
 	/* Insecure delegation, check whether it is part of opt-out span. */
@@ -1202,6 +1207,30 @@ static void check_dnskey(zone_contents_t *zone, sem_handler_t *handler)
 	}
 }
 
+static int mark_nsec3_optout(zone_node_t *node, void *ctx)
+{
+	UNUSED(ctx);
+	if (nsec3_optout_allow(node) && node_nsec3_get(node) == NULL) {
+		do {
+			assert(!(node->flags & NODE_FLAGS_APEX));
+			node->flags |= NODE_FLAGS_EMPTY;
+			node = node_parent(node);
+			node->children--;
+		} while (node->rrset_count == 0 && node->children == 0 && node_nsec3_get(node) == NULL);
+	}
+	return KNOT_EOK;
+}
+
+static int unmark_nsec3_optout(zone_node_t *node, void *ctx)
+{
+	UNUSED(ctx);
+	if (node->flags & NODE_FLAGS_EMPTY) {
+		node->flags &= ~NODE_FLAGS_EMPTY;
+		node_parent(node)->children++;
+	}
+	return KNOT_EOK;
+}
+
 int sem_checks_process(zone_contents_t *zone, semcheck_optional_t optional, sem_handler_t *handler,
                        time_t time)
 {
@@ -1233,7 +1262,16 @@ int sem_checks_process(zone_contents_t *zone, semcheck_optional_t optional, sem_
 		}
 	}
 
+	if (data.level & NSEC3) {
+		int ret = zone_tree_apply(zone->nodes, mark_nsec3_optout, NULL);
+		if (ret != KNOT_EOK) {
+			return ret;
+		}
+	}
 	int ret = zone_contents_apply(zone, do_checks_in_tree, &data);
+	if (data.level & NSEC3) {
+		(void)zone_tree_apply(zone->nodes, unmark_nsec3_optout, NULL);
+	}
 	if (ret != KNOT_EOK) {
 		return ret;
 	}

tests/knot/semantic_check_data/nsec3_optout_ent.all

+example.com.        	3600	SOA	dns1.com. hostmaster.com. 2010111217 21600 3600 604800 86400
+example.com.        	3600	NS	dns1.com.
+example.com.        	3600	DNSKEY	256 3 13 tCoteOM+A4o/A9uxgLyDg3HOg2DClU+3d+1XPQRtTfuaEFOGIpyH6qiFUv2b4DYuvmMyTkL99nxvyhA8yo0Cgg==
+example.com.        	3600	DNSKEY	257 3 13 Yk8KOmyVzOij3x+Zs+eT4J2Up9+ipwXEKOhL9fTYY/DU10yIQt+zYm02UFZJX2oVTdHBCajpBFsZLH2X4ho1yw==
+example.com.        	0	NSEC3PARAM	1 0 10 151E9F1094FE188F
+deleg1.ent.example.com.	3600	NS	glue.outofzone.net.
+deleg2.ent.example.com.	3600	NS	glue.outofzone.net.
+
+example.com.        	3600	RRSIG	NS 13 2 3600 20400410173442 20210209160442 61806 example.com. laxHzto10anAyWXb/IqVEoBsybVmb/aCMb4SdxEC3YiJFj1IX9rxChVnuXrQ5zgr1f6YaRyc/DDTP8NFvwyTWg==
+example.com.        	3600	RRSIG	SOA 13 2 3600 20400410173442 20210209160442 61806 example.com. /eNl2bkB/SJ6qBX+Jpm5KTXIs5Xi978JWRN2jtbEh5Z9udy7liS73oMkBLlJ33amKc7Gwfqi2+SgdHHud4j0Ug==
+example.com.        	3600	RRSIG	DNSKEY 13 2 3600 20400410173442 20210209160442 25674 example.com. TpePckJM7GcsE72vbfSf49LzEM1chUFIiKBN0VyCHdB3YFpRH5d8Qx+XWh8Vs9AuLoKMWTQ0UD4kZK8yF70N4A==
+example.com.        	0	RRSIG	NSEC3PARAM 13 2 0 20400410173442 20210209160442 61806 example.com. RfPCpoA94H+dm7fqxhZ+GIf4fQwzN19yJVbhmEOtx6if9U/H6mJalvoy4d5UD/L2bferTBbie4I/TzAIXgVETQ==
+
+ple28jlp3q5anh045ssk9f3u7ltd4qlc.example.com. 3600	NSEC3	1 1 10 151E9F1094FE188F ple28jlp3q5anh045ssk9f3u7ltd4qlc NS SOA RRSIG DNSKEY NSEC3PARAM
+ple28jlp3q5anh045ssk9f3u7ltd4qlc.example.com. 3600	RRSIG	NSEC3 13 3 3600 20400410181548 20210209164548 61806 example.com. EBPlHXYdARm1T0TaYadx0ETwC6w0g5J1yPR6LB3ur9IItcEWRONhqDrNwUbYGbW5c4nWep/hnJYdmMFq1bTfiw==

tests/knot/semantic_check_data/nsec3_optout_ent.invalid

+example.com.        	3600	SOA	dns1.com. hostmaster.com. 2010111217 21600 3600 604800 86400
+example.com.        	3600	NS	dns1.com.
+example.com.        	3600	DNSKEY	256 3 13 tCoteOM+A4o/A9uxgLyDg3HOg2DClU+3d+1XPQRtTfuaEFOGIpyH6qiFUv2b4DYuvmMyTkL99nxvyhA8yo0Cgg==
+example.com.        	3600	DNSKEY	257 3 13 Yk8KOmyVzOij3x+Zs+eT4J2Up9+ipwXEKOhL9fTYY/DU10yIQt+zYm02UFZJX2oVTdHBCajpBFsZLH2X4ho1yw==
+example.com.        	0	NSEC3PARAM	1 0 10 151E9F1094FE188F
+deleg1.ent.example.com.	3600	NS	glue.outofzone.net.
+deleg2.ent.example.com.	3600	NS	glue.outofzone.net.
+
+example.com.        	3600	RRSIG	NS 13 2 3600 20400410173442 20210209160442 61806 example.com. laxHzto10anAyWXb/IqVEoBsybVmb/aCMb4SdxEC3YiJFj1IX9rxChVnuXrQ5zgr1f6YaRyc/DDTP8NFvwyTWg==
+example.com.        	3600	RRSIG	SOA 13 2 3600 20400410173442 20210209160442 61806 example.com. /eNl2bkB/SJ6qBX+Jpm5KTXIs5Xi978JWRN2jtbEh5Z9udy7liS73oMkBLlJ33amKc7Gwfqi2+SgdHHud4j0Ug==
+example.com.        	3600	RRSIG	DNSKEY 13 2 3600 20400410173442 20210209160442 25674 example.com. TpePckJM7GcsE72vbfSf49LzEM1chUFIiKBN0VyCHdB3YFpRH5d8Qx+XWh8Vs9AuLoKMWTQ0UD4kZK8yF70N4A==
+example.com.        	0	RRSIG	NSEC3PARAM 13 2 0 20400410173442 20210209160442 61806 example.com. RfPCpoA94H+dm7fqxhZ+GIf4fQwzN19yJVbhmEOtx6if9U/H6mJalvoy4d5UD/L2bferTBbie4I/TzAIXgVETQ==
+
+gtr2v0c3d7eqh7ob8rbad7ta90tq8lci.example.com. 3600	NSEC3	1 1 10 151E9F1094FE188F ple28jlp3q5anh045ssk9f3u7ltd4qlc NS
+ple28jlp3q5anh045ssk9f3u7ltd4qlc.example.com. 3600	NSEC3	1 1 10 151E9F1094FE188F gtr2v0c3d7eqh7ob8rbad7ta90tq8lci NS SOA RRSIG DNSKEY NSEC3PARAM
+
+gtr2v0c3d7eqh7ob8rbad7ta90tq8lci.example.com. 3600	RRSIG	NSEC3 13 3 3600 20400410173442 20210209160442 61806 example.com. gb3uKByt54iwCsd284xzOVnnpN97r7ARz6UacMdm2Xs4M8t6Ao9bRG7jvbNpFCALfaU/xDQF7K3v31iKBeVwjw==
+ple28jlp3q5anh045ssk9f3u7ltd4qlc.example.com. 3600	RRSIG	NSEC3 13 3 3600 20400410173442 20210209160442 61806 example.com. kpuFRuzOhsG5zy0Sdql0AB44IDUtf9ccTwJXdULoIqUNKeRqvgWJ7ekEhBKvntVHlBQZPescgPMvvq7PLcA2Dw==

tests/knot/semantic_check_data/nsec3_optout_ent.valid

+example.com.        	3600	SOA	dns1.com. hostmaster.com. 2010111217 21600 3600 604800 86400
+example.com.        	3600	NS	dns1.com.
+example.com.        	3600	DNSKEY	256 3 13 tCoteOM+A4o/A9uxgLyDg3HOg2DClU+3d+1XPQRtTfuaEFOGIpyH6qiFUv2b4DYuvmMyTkL99nxvyhA8yo0Cgg==
+example.com.        	3600	DNSKEY	257 3 13 Yk8KOmyVzOij3x+Zs+eT4J2Up9+ipwXEKOhL9fTYY/DU10yIQt+zYm02UFZJX2oVTdHBCajpBFsZLH2X4ho1yw==
+example.com.        	0	NSEC3PARAM	1 0 10 151E9F1094FE188F
+deleg1.ent.example.com.	3600	NS	glue.outofzone.net.
+deleg2.ent.example.com.	3600	NS	glue.outofzone.net.
+
+example.com.        	3600	RRSIG	NS 13 2 3600 20400410173236 20210209160236 61806 example.com. C4ierSNpy03xjH5rQEfb01wCj4SVIzX9b15FVEMIbn3lmDo5jXO6stOrW8Z7OjoVuCaRi1Qj997TeCYqOxNXSQ==
+example.com.        	3600	RRSIG	SOA 13 2 3600 20400410173236 20210209160236 61806 example.com. NNyQzYOcPbfEsqv61I78MuMguN/KIFi/wSJc940pj7rv+riA3J+XVzpaHSSh//q8CmrvpBAk2g8KsQG/6kOXmg==
+example.com.        	3600	RRSIG	DNSKEY 13 2 3600 20400410173236 20210209160236 25674 example.com. ZY3nxZJeOfSOEhs02mfhQgt6N1EgZubtPp3HuV69gStFSu4aCLi8a2aseQGilOFW64dOAYNm3LL/WqhPi7MZ1Q==
+example.com.        	0	RRSIG	NSEC3PARAM 13 2 0 20400410173236 20210209160236 61806 example.com. JITs/EH8nLaFRidlkT6+mcTwEpjgp2TMjb9fU5TBIlKn94og8YtOWFbNmzdEYBKlGLlkg8LwY2ortrSoRHS6Hw==
+
+ej69a9a2k2j0ntktmdvihrv5ao8fl1jt.example.com. 3600	NSEC3	1 1 10 151E9F1094FE188F gtr2v0c3d7eqh7ob8rbad7ta90tq8lci
+gtr2v0c3d7eqh7ob8rbad7ta90tq8lci.example.com. 3600	NSEC3	1 1 10 151E9F1094FE188F ple28jlp3q5anh045ssk9f3u7ltd4qlc NS
+ple28jlp3q5anh045ssk9f3u7ltd4qlc.example.com. 3600	NSEC3	1 1 10 151E9F1094FE188F ej69a9a2k2j0ntktmdvihrv5ao8fl1jt NS SOA RRSIG DNSKEY NSEC3PARAM
+
+ej69a9a2k2j0ntktmdvihrv5ao8fl1jt.example.com. 3600	RRSIG	NSEC3 13 3 3600 20400410173236 20210209160236 61806 example.com. yatL/lbFSUyN4UyRtMXymxsiqhOXHp+N+pTI/zNOc0NXCdaaLceh+tZHlc+E4napRfP53XXEhuGavjShTIJ/+g==
+gtr2v0c3d7eqh7ob8rbad7ta90tq8lci.example.com. 3600	RRSIG	NSEC3 13 3 3600 20400410173236 20210209160236 61806 example.com. 20XNZrfJ4l/JIDjCbsba3mUOrNyOxJ2VuCju/yLc0XbdzqMcKJR87g3u967GEnoYY5f5+rJt/IHsuJWHcLApCQ==
+ple28jlp3q5anh045ssk9f3u7ltd4qlc.example.com. 3600	RRSIG	NSEC3 13 3 3600 20400410173236 20210209160236 61806 example.com. eLRo9y8Rxf157qcciWM/LSUbtjYks2zLO5xQ9Ff5bidHc9m2XEqjWxqdPZz5gurEf+uPnM8mnix36X4YH4ZXwg==

tests/knot/test_semantic_check.in

@@ -107,6 +107,7 @@ expect_error "nsec_multiple.signed" 0 1 "$NSEC_RDATA_MULTIPLE"
 expect_error "nsec_wrong_bitmap_01.signed" 0 1 "$NSEC_RDATA_BITMAP"
 expect_error "nsec_wrong_bitmap_02.signed" 0 1 "$NSEC_RDATA_BITMAP"
 expect_error "nsec3_missing.signed" 0 1 "$NSEC3_NONE"
+expect_error "nsec3_optout_ent.invalid" 0 1 "$NSEC3_NONE"
 expect_error "nsec3_wrong_bitmap_01.signed" 0 1 "$NSEC3_RDATA_BITMAP"
 expect_error "nsec3_wrong_bitmap_02.signed" 0 1 "$NSEC3_RDATA_BITMAP"
 expect_error "nsec3_ds.signed" 0 1 "$NSEC3_NONE"
@@ -143,6 +144,8 @@ test_correct "glue_in_deleg.valid"
 test_correct "cdnskey.cds"
 test_correct "cdnskey.delete.both"
 test_correct "dname_apex_nsec3.signed"
+test_correct "nsec3_optout_ent.valid"
+test_correct "nsec3_optout_ent.all"
 
 test_correct_no_dnssec "no_rrsig.signed"
 test_correct_no_dnssec "no_rrsig_with_delegation.signed"