From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Fri, 9 Jun 2017 09:38:22 +0000 (+0200)
Subject: rec: Add and clarify RRSIG labels checks
X-Git-Tag: rec-4.1.0-alpha1~50^2~9
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=bb07ad8e1965722497698c4b3df8ea397889e729;p=pdns

rec: Add and clarify RRSIG labels checks
---

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index cdc073342..3ab08bfc5 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -1616,7 +1616,12 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr
     if(rec.d_type == QType::RRSIG) {
       auto rrsig = getRR<RRSIGRecordContent>(rec);
       if (rrsig) {
-        if (rec.d_name == qname && rrsig->d_labels < rec.d_name.countLabels()) {
+        unsigned int labelCount = rec.d_name.countLabels();
+        /* As illustrated in rfc4035's Appendix B.6, the RRSIG label
+           count can be lower than the name's label count if it was
+           synthesized from the wildcard. Note that the difference might
+           be > 1. */
+        if (rec.d_name == qname && rrsig->d_labels < labelCount) {
           LOG(prefix<<qname<<": RRSIG indicates the name was expanded from a wildcard, we need a wildcard proof"<<endl);
           needWildcardProof = true;
         }
diff --git a/pdns/validate.cc b/pdns/validate.cc
index 20decbcde..9790131dc 100644
--- a/pdns/validate.cc
+++ b/pdns/validate.cc
@@ -264,6 +264,11 @@ bool validateWithKeySet(time_t now, const DNSName& name, const vector<shared_ptr
   bool isValid = false;
 
   for(const auto& signature : signatures) {
+    unsigned int labelCount = name.countLabels();
+    if (signature->d_labels > labelCount) {
+      LOG(name<<": Discarding invalid RRSIG whose label count is "<<signature->d_labels<<" while the RRset owner name has only "<<labelCount<<endl);
+    }
+
     vector<shared_ptr<DNSRecordContent> > toSign = records;
 
     auto r = getByTag(keys, signature->d_tag, signature->d_algorithm);