Merge branch 'semcheck_glue' into 'master'

Semcheck glue

See merge request !1051

src/knot/zone/semantic-check.c

@@ -481,21 +481,28 @@ static int check_delegation(const zone_node_t *node, semchecks_data_t *data)
 	for (int i = 0; i < ns_rrs->count; ++i) {
 		knot_rdata_t *ns_rr = knot_rdataset_at(ns_rrs, i);
 		const knot_dname_t *ns_dname = knot_ns_name(ns_rr);
-		if (knot_dname_in_bailiwick(ns_dname, node->owner) < 0) {
-			continue;
-		}
-
-		const zone_node_t *glue_node =
-			zone_contents_find_node(data->zone, ns_dname);
+		const zone_node_t *glue_node = NULL, *glue_encloser = NULL;
+		int ret = zone_contents_find_dname(data->zone, ns_dname, &glue_node,
+		                                   &glue_encloser, NULL);
+		switch (ret) {
+		case KNOT_EOUTOFZONE:
+			continue; // NS is out of bailiwick
+		case ZONE_NAME_NOT_FOUND:
+			if (glue_encloser != node &&
+			    glue_encloser->flags & (NODE_FLAGS_DELEG | NODE_FLAGS_NONAUTH)) {
+				continue; // NS is below another delegation
+			}
 
-		if (glue_node == NULL) {
-			/* Try wildcard ([1]* + suffix). */
-			knot_dname_t wildcard[KNOT_DNAME_MAXLEN];
-			memcpy(wildcard, "\x1""*", 2);
-			knot_dname_to_wire(wildcard + 2,
-			                   knot_wire_next_label(ns_dname, NULL),
+			// check if covered by wildcard
+			knot_dname_t wildcard[KNOT_DNAME_MAXLEN] = "\x1""*";
+			knot_dname_to_wire(wildcard + 2, glue_encloser->owner,
 			                   sizeof(wildcard) - 2);
 			glue_node = zone_contents_find_node(data->zone, wildcard);
+			break; // continue in checking glue existence
+		case ZONE_NAME_FOUND:
+			break; // continue in checking glue existence
+		default:
+			return ret;
 		}
 		if (!node_rrtype_exists(glue_node, KNOT_RRTYPE_A) &&
 		    !node_rrtype_exists(glue_node, KNOT_RRTYPE_AAAA)) {

tests/knot/semantic_check_data/glue_besides.missing

+$ORIGIN example.com.
+$TTL 3600
+
+@	IN	SOA	dns1.example.com. hostmaster.example.com. (
+		2010111217	; serial
+		6h		; refresh
+		1h		; retry
+		1w		; expire
+		1d )		; minimum
+
+	NS	dns1
+
+dns1	A	192.0.2.1
+
+deleg	NS	dns2	
+
+; missing glue for dns2

tests/knot/semantic_check_data/glue_in_deleg.valid

+$ORIGIN example.com.
+$TTL 3600
+
+@	IN	SOA	dns1.example.com. hostmaster.example.com. (
+		2010111217	; serial
+		6h		; refresh
+		1h		; retry
+		1w		; expire
+		1d )		; minimum
+
+	NS	ns2.d
+
+d	NS	ns1.d
+ns1.d	A	1.2.3.4
+
+; glue below another delegation is not mandatory

tests/knot/semantic_check_data/glue_wildcard.valid

@@ -13,7 +13,10 @@ $TTL 3600
 dns1	A	1.2.3.4
 
 abc	NS	a.ns.abc
+deleg1	NS	a.ns.abc
+deleg2	NS	a.ns.ns.ns.ns.xyz
 
 ; wildcard glue
 
 *.ns.abc	AAAA	::1
+*.ns.xyz	AAAA	::2

tests/knot/test_semantic_check.in

@@ -85,6 +85,7 @@ expect_error "dname_extra_ns.zone"   1 1 "$DNAME_EXTRA_NS"
 expect_error "ns_apex.missing" 0 1 "$NS_APEX"
 expect_error "glue_apex_both.missing" 0 2 "$NS_GLUE"
 expect_error "glue_apex_one.missing" 0 1 "$NS_GLUE"
+expect_error "glue_besides.missing" 0 1 "$NS_GLUE"
 expect_error "glue_deleg.missing" 0 1 "$NS_GLUE"
 expect_error "glue_in_apex.missing" 0 1 "$NS_GLUE"
 expect_error "different_signer_name.signed" 0 1 "$RRSIG_RDATA_DNSKEY_OWNER \(record type NSEC\)"
@@ -131,6 +132,7 @@ test_correct "no_error_nsec3_delegation.signed"
 test_correct "no_error_nsec3_optout.signed"
 test_correct "glue_wildcard.valid"
 test_correct "glue_no_foreign.valid"
+test_correct "glue_in_deleg.valid"
 test_correct "cdnskey.cds"
 test_correct "cdnskey.delete.both"
 test_correct "dname_apex_nsec3.signed"