iterate: fix NSEC3 records missing from answer in an edge case (!1550) · Merge requests · Knot projects / Knot Resolver

Vladimír Čunát requested to merge nsec3-iters-wild into master-5 May 29, 2024

When positive wildcard expansion happens, NSEC(3) records are needed to prove that the expansion was allowed. If the NSEC3 had too many iterations, we downgrade the answer to insecure status, but unintentionally we also dropped the NSEC3 record from the answer.

That was breaking DNSSEC validation of that answer, e.g. when forwarding to Knot Resolver. The validator needs the NSEC3 - either to validate the expansion or to determine that it's too expensive.

Fixes #910 (closed)

Admin message

Admin message

iterate: fix NSEC3 records missing from answer in an edge case

Merge request reports