Commit 422b5f19 authored by Vladimír Čunát's avatar Vladimír Čunát

Merge !320: dnssec/nsec: add a precaution for DS nodata

parents b29f002d de979a3b
Pipeline #7094 canceled with stages
in 76 minutes and 34 seconds
......@@ -237,7 +237,14 @@ static int no_data_response_check_rrtype(int *flags, const knot_rrset_t *nsec,
if (!kr_nsec_bitmap_contains_type(bm, bm_size, type)) {
/* The type is not listed in the NSEC bitmap. */
*flags |= FLG_NOEXIST_RRTYPE;
/* Security feature: in case of DS also check for SOA
* non-existence to be more certain that we don't hold
* a child-side NSEC by some mistake (e.g. when forwarding).
* See RFC4035 5.2, next-to-last paragraph. */
if (type != KNOT_RRTYPE_DS
|| !kr_nsec_bitmap_contains_type(bm, bm_size, KNOT_RRTYPE_SOA)) {
*flags |= FLG_NOEXIST_RRTYPE;
}
}
return kr_ok();
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment