DNSSEC: Actually follow RFC 7646 §2.1

We were off by one when counting labels, so when an NTA was added for a
name where a TA was configured, we would still attempt validation.

Reported by @jpmens

diff --git a/pdns/validate.cc b/pdns/validate.cc
index 83f7b973a1183dfb83782875fac66b059446f059..d1fdf4eef7188fd4be9afa22ce51bec7b2f8e66f 100644 (file)
--- a/pdns/validate.cc
+++ b/pdns/validate.cc
@@ -183,7 +183,7 @@ vState getKeysFor(DNSRecordOracle& dro, const DNSName& zone, keyset_t &keyset)
     DNSName lowestNTA;
 
     for (auto const &negAnchor : negAnchors)
-      if (zone.isPartOf(negAnchor.first) && lowestNTA.countLabels() < negAnchor.first.countLabels())
+      if (zone.isPartOf(negAnchor.first) && lowestNTA.countLabels() <= negAnchor.first.countLabels())
         lowestNTA = negAnchor.first;
 
     if(!lowestNTA.empty()) {
@@ -194,7 +194,7 @@ vState getKeysFor(DNSRecordOracle& dro, const DNSName& zone, keyset_t &keyset)
        * attempt validation for. However, section 3 tells us this positive
        * Trust Anchor MUST be *below* the name and not the name itself
        */
-      if(lowestTA.countLabels() < lowestNTA.countLabels()) {
+      if(lowestTA.countLabels() <= lowestNTA.countLabels()) {
         LOG("marking answer Insecure"<<endl);
         return NTA; // Not Insecure, this way validateRecords() can shortcut
       }