dnssec validation: enable junk NSEC3 with...

...same salt, but different iterations count

dnssec validation: enable junk NSEC3 with...
59d2b296 · Daniel Salzman · 495fb8ea · 59d2b296 · 59d2b296 · 59d2b296
Commit 59d2b296 authored 4 years ago by Daniel Salzman
--- a/src/knot/dnssec/context.c
+++ b/src/knot/dnssec/context.c
@@ -272,7 +272,8 @@ int kdnssec_validation_ctx(conf_t *conf, kdnssec_ctx_t *ctx, const zone_contents
 	policy_load(ctx->policy, &policy_id);

 	int ret = kasp_zone_from_contents(ctx->zone, zone, ctx->policy->single_type_signing,
-	                                  ctx->policy->nsec3_enabled, &ctx->keytag_conflict);
+	                                  ctx->policy->nsec3_enabled, &ctx->policy->nsec3_iterations,
+	                                  &ctx->keytag_conflict);
 	if (ret != KNOT_EOK) {
 		memset(ctx->zone, 0, sizeof(*ctx->zone));
 		kdnssec_ctx_deinit(ctx);

--- a/src/knot/dnssec/kasp/kasp_zone.c
+++ b/src/knot/dnssec/kasp/kasp_zone.c
@@ -310,6 +310,7 @@ int kasp_zone_from_contents(knot_kasp_zone_t *zone,
                            const zone_contents_t *contents,
                            bool policy_single_type_signing,
                            bool policy_nsec3,
+                            uint16_t *policy_nsec3_iters,
                            bool *keytag_conflict)
 {
 	if (zone == NULL || contents == NULL || contents->apex == NULL) {
@@ -372,6 +373,8 @@ int kasp_zone_from_contents(knot_kasp_zone_t *zone,
 		memcpy(zone->nsec3_salt.data,
 		       knot_nsec3param_salt(zone_ns3p->rdata),
 		       zone->nsec3_salt.size);
+
+		*policy_nsec3_iters = knot_nsec3param_iters(zone_ns3p->rdata);
 	}

 	detect_keytag_conflict(zone, keytag_conflict);

--- a/src/knot/dnssec/kasp/kasp_zone.h
+++ b/src/knot/dnssec/kasp/kasp_zone.h
@@ -50,4 +50,5 @@ int kasp_zone_from_contents(knot_kasp_zone_t *zone,
                            const zone_contents_t *contents,
                            bool policy_single_type_signing,
                            bool policy_nsec3,
+                            uint16_t *policy_nsec3_iters,
                            bool *keytag_conflict);
--- a/src/knot/dnssec/nsec-chain.c
+++ b/src/knot/dnssec/nsec-chain.c
@@ -287,7 +287,9 @@ static bool node_nsec3_unmatching(const zone_node_t *node, const dnssec_nsec3_pa
 	}
 	knot_rdata_t *rdata = nsec3->rdata;
 	for (int i = 0; i < nsec3->count; i++) {
-		if (knot_nsec3_salt_len(rdata) == params->salt.size &&
+		if (knot_nsec3_alg(rdata) == params->algorithm &&
+		    knot_nsec3_iters(rdata) == params->iterations &&
+		    knot_nsec3_salt_len(rdata) == params->salt.size &&
 		    memcmp(knot_nsec3_salt(rdata), params->salt.data, params->salt.size) == 0) {
 			return false;
 		}