From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Wed, 11 Oct 2017 10:20:42 +0000 (+0200)
Subject: rec: The NSEC next name should be different to prove an ENT
X-Git-Tag: rec-4.1.0-rc2~40^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=00be1ff60bb1426a9bfa76712dd91ad21d72b276;p=pdns

rec: The NSEC next name should be different to prove an ENT

While it's not an issue in the current code because we checked
earlier that the NSEC covered the name, it might prevent an issue
if we reuse nsecProvesENT() later.
---

diff --git a/pdns/recursordist/test-syncres_cc.cc b/pdns/recursordist/test-syncres_cc.cc
index 3ce10cf89..3e90a06d6 100644
--- a/pdns/recursordist/test-syncres_cc.cc
+++ b/pdns/recursordist/test-syncres_cc.cc
@@ -7248,6 +7248,10 @@ BOOST_AUTO_TEST_CASE(test_nsec_ent_denial) {
      it is an ENT */
   denialState = getDenial(denialMap, DNSName("c.powerdns.com."), QType::AAAA, true, true);
   BOOST_CHECK_EQUAL(denialState, NXQTYPE);
+
+  /* this NSEC is not valid to prove a NXQTYPE for QType::A at a.c.powerdns.com either */
+  denialState = getDenial(denialMap, DNSName("a.c.powerdns.com."), QType::A, true, true);
+  BOOST_CHECK_EQUAL(denialState, NODATA);
 }
 
 BOOST_AUTO_TEST_CASE(test_nsec3_ancestor_nxqtype_denial) {
diff --git a/pdns/validate.cc b/pdns/validate.cc
index 790031d87..3df1c7412 100644
--- a/pdns/validate.cc
+++ b/pdns/validate.cc
@@ -48,7 +48,7 @@ static bool nsecProvesENT(const DNSName& name, const DNSName& begin, const DNSNa
      - begin < name
      - next is a child of name
   */
-  return begin.canonCompare(name) && next.isPartOf(name);
+  return begin.canonCompare(name) && next != name && next.isPartOf(name);
 }
 
 static std::string getHashFromNSEC3(const DNSName& qname, const std::shared_ptr<NSEC3RecordContent> nsec3)