Skip to content
Snippets Groups Projects

dnssec/nsec3: don't set AD flag in properly signed wildcard nodata answers

Merged dnssec/nsec3: don't set AD flag in properly signed wildcard nodata answers
fix-oo-wc-nodata into master
Merged Grigorii Demidov requested to merge fix-oo-wc-nodata into master
Compare
and
2 files
+ 10
2
Compare changes
  • Side-by-side
  • Inline
Files
2
lib/dnssec/nsec3.c
+ 9
1
@@ -702,6 +702,14 @@ int kr_nsec3_no_data(const knot_pkt_t *pkt, knot_section_t section_id,
encloser_name, stype);
if (ret == 0) {
/* Satisfies RFC5155 8.7 */
if (has_optout(covering_next_nsec3)) {
/* Opt-out is detected.
* Despite the fact that all records
* in the packet can be properly signed,
* AD bit must not be set due to rfc5155 9.2.
* Return appropriate code to the caller */
ret = kr_error(DNSSEC_OUT_OF_RANGE);
}
return ret;
}
@@ -719,7 +727,7 @@ int kr_nsec3_no_data(const knot_pkt_t *pkt, knot_section_t section_id,
*/
ret = kr_error(DNSSEC_OUT_OF_RANGE);
}
return ret;
}