dnssec-validate: report missing NSEC3 in case whole NSEC3 chain is wrong

84ee54b2 · Libor Peltan · Daniel Salzman · 791086d5 · 84ee54b2
Commit 84ee54b2 authored 3 years ago by Libor Peltan Committed by Daniel Salzman 2 years ago
--- a/src/knot/dnssec/nsec-chain.c
+++ b/src/knot/dnssec/nsec-chain.c
-/*  Copyright (C) 2021 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+/*  Copyright (C) 2022 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -460,6 +460,11 @@ static int check_nsec_bitmap(zone_node_t *node, void *ctx)
 		    found_nsec3 != NULL) {
 			return KNOT_ERROR;
 		}
+		if (prev_nsec3 == NULL) {
+			data->update->validation_hint.node = (nsec_node == NULL ? node->owner : nsec_node->owner);
+			data->update->validation_hint.rrtype = KNOT_RRTYPE_ANY;
+			return KNOT_DNSSEC_ENSEC_BITMAP;
+		}
 		knot_rdataset_t *nsec3 = node_rdataset(prev_nsec3, KNOT_RRTYPE_NSEC3);
 		if (nsec3 == NULL) {
 			return KNOT_ERROR;