Commit 638413f8 authored by Marek Vavruša's avatar Marek Vavruša Committed by Vladimír Čunát

nsec: correct wildcard proof check with queried for literal wildcard

The validation fails in current implementation when queried directly
for the wildcard. In that case the count of the common labels with the
NSEC record is the same, and not shorter by 1 (to accomodate wildcard
expansion).
parent 4eedc70c
......@@ -9,6 +9,7 @@ New features
Bugfixes
--------
- avoid turning off qname minimization in some cases, e.g. co.uk. (#339)
- fix validation of explicit wildcard queries (#274)
Knot Resolver 2.3.0 (2018-04-23)
......
......@@ -380,13 +380,15 @@ static int wildcard_match_check(const knot_pkt_t *pkt, const knot_pktsection_t *
if (!knot_dname_is_wildcard(rrset->owner)) {
continue;
}
int wcard_labels = knot_dname_labels(rrset->owner, NULL);
int common_labels = knot_dname_matched_labels(rrset->owner, sname);
int rrsig_labels = coverign_rrsig_labels(rrset, sec);
if (wcard_labels < 1 ||
common_labels != wcard_labels - 1 ||
common_labels != rrsig_labels) {
continue;
if (!knot_dname_is_equal(rrset->owner, sname)) {
int wcard_labels = knot_dname_labels(rrset->owner, NULL);
int common_labels = knot_dname_matched_labels(rrset->owner, sname);
int rrsig_labels = coverign_rrsig_labels(rrset, sec);
if (wcard_labels < 1 ||
common_labels != wcard_labels - 1 ||
common_labels != rrsig_labels) {
continue;
}
}
int ret = no_data_response_check_rrtype(&flags, rrset, stype);
if (ret != 0) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment