From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Fri, 21 Oct 2016 10:33:41 +0000 (+0200)
Subject: NSEC3 optout and Bogus insecure forward fixes
X-Git-Tag: rec-4.0.4~22^2~2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=46a66669600ef1d52b866b17f2deeb1c354302e7;p=pdns

NSEC3 optout and Bogus insecure forward fixes

After the change to zonecuts to find key material, the NSEC3 checking
returned an (incorrect) 'covering nxdomain' for a forwarded subzone with
no DS record in its parent. After fixing this, the NSEC3 optout test
failed as Bogus (instead of insecure). This was fixed by actually
checking the optout flag on a delegation NSEC3 record.
---

diff --git a/pdns/validate.cc b/pdns/validate.cc
index 80241ba89..767967c9a 100644
--- a/pdns/validate.cc
+++ b/pdns/validate.cc
@@ -12,7 +12,7 @@ void dotNode(string type, DNSName name, string tag, string content);
 string dotName(string type, DNSName name, string tag);
 string dotEscape(string name);
 
-const char *dStates[]={"nodata", "nxdomain", "nxqtype", "empty non-terminal", "insecure"};
+const char *dStates[]={"nodata", "nxdomain", "nxqtype", "empty non-terminal", "insecure", "opt-out"};
 const char *vStates[]={"Indeterminate", "Bogus", "Insecure", "Secure", "NTA"};
 
 typedef set<DNSKEYRecordContent> keyset_t;
@@ -83,7 +83,12 @@ static dState getDenial(const cspmap_t &validrrsets, const DNSName& qname, const
               (nsec3->d_nexthash < beginHash  && beginHash < h) ||         // wrap other case  END --- BEGINNING --- HASH
               beginHash == nsec3->d_nexthash))                             // "we have only 1 NSEC3 record, LOL!"
         {
-          LOG("Denies existence of name "<<qname<<"/"<<QType(qtype).getName()<<"(could be opt-out)!"<<endl);
+          LOG("Denies existence of name "<<qname<<"/"<<QType(qtype).getName());
+          if (qtype == QType::DS && nsec3->d_flags & 1) {
+            LOG(" but is opt-out!"<<endl);
+            return OPTOUT;
+          }
+          LOG(endl);
           return NXDOMAIN;
         }
 
@@ -430,9 +435,9 @@ vState getKeysFor(DNSRecordOracle& dro, const DNSName& zone, keyset_t &keyset)
     if(r.first == r.second) {
       LOG("No DS for "<<*(zoneCutIter+1)<<", now look for a secure denial"<<endl);
       dState res = getDenial(validrrsets, *(zoneCutIter+1), QType::DS);
-      if (res == INSECURE)
+      if (res == INSECURE || res == NXDOMAIN)
         return Bogus;
-      if (res == NXDOMAIN || res == NXQTYPE)
+      if (res == NXQTYPE || res == OPTOUT)
         return Insecure;
     }
 
diff --git a/pdns/validate.hh b/pdns/validate.hh
index ed2795863..829e1d1a0 100644
--- a/pdns/validate.hh
+++ b/pdns/validate.hh
@@ -34,7 +34,7 @@ enum vState { Indeterminate, Bogus, Insecure, Secure, NTA };
 extern const char *vStates[];
 
 // NSEC(3) results
-enum dState { NODATA, NXDOMAIN, NXQTYPE, ENT, INSECURE };
+enum dState { NODATA, NXDOMAIN, NXQTYPE, ENT, INSECURE, OPTOUT};
 extern const char *dStates[];
 
 class DNSRecordOracle