rec: Add and clarify RRSIG labels checks

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index cdc07334215207955eafae7fbd366f0d452215b5..3ab08bfc5d20060cb04ea34a72e2e42bf6201d28 100644 (file)
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -1616,7 +1616,12 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr
     if(rec.d_type == QType::RRSIG) {
       auto rrsig = getRR<RRSIGRecordContent>(rec);
       if (rrsig) {
-        if (rec.d_name == qname && rrsig->d_labels < rec.d_name.countLabels()) {
+        unsigned int labelCount = rec.d_name.countLabels();
+        /* As illustrated in rfc4035's Appendix B.6, the RRSIG label
+           count can be lower than the name's label count if it was
+           synthesized from the wildcard. Note that the difference might
+           be > 1. */
+        if (rec.d_name == qname && rrsig->d_labels < labelCount) {
           LOG(prefix<<qname<<": RRSIG indicates the name was expanded from a wildcard, we need a wildcard proof"<<endl);
           needWildcardProof = true;
         }

diff --git a/pdns/validate.cc b/pdns/validate.cc
index 20decbcde2f69916c5130a1e65efc3a014c521d4..9790131dc5c6d2ff3bf69bee6e9e76e273752d37 100644 (file)
--- a/pdns/validate.cc
+++ b/pdns/validate.cc
@@ -264,6 +264,11 @@ bool validateWithKeySet(time_t now, const DNSName& name, const vector<shared_ptr
   bool isValid = false;
 
   for(const auto& signature : signatures) {
+    unsigned int labelCount = name.countLabels();
+    if (signature->d_labels > labelCount) {
+      LOG(name<<": Discarding invalid RRSIG whose label count is "<<signature->d_labels<<" while the RRset owner name has only "<<labelCount<<endl);
+    }
+
     vector<shared_ptr<DNSRecordContent> > toSign = records;
 
     auto r = getByTag(keys, signature->d_tag, signature->d_algorithm);