An NSEC record cannot attest to its own non-existance!

f01d7be6 · Simon Kelley · d387380a · f01d7be6
Commit f01d7be6 authored Feb 24, 2014 by Simon Kelley
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 4 deletions

src/dnssec.c src/dnssec.c +8 -4

No files found.
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -860,7 +860,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
  GETSHORT(qclass, p);
  if (qtype != T_DNSKEY || qclass != class || ntohs(header->ancount) == 0)
-    return STAT_INSECURE;
+    return STAT_BOGUS;
   /* See if we have cached a DS record which validates this key */
  if (!(crecp = cache_find_by_name(NULL, name, now, F_DS)))
@@ -894,7 +894,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
      GETSHORT(flags, p);
      if (*p++ != 3)
-	return STAT_INSECURE;
+	return STAT_BOGUS;
      algo = *p++;
      keytag = dnskey_keytag(algo, flags, p, rdlen - 4);
      key = NULL;
@@ -984,7 +984,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
 		  GETSHORT(flags, p);
 		  if (*p++ != 3)
-		    return STAT_INSECURE;
+		    return STAT_BOGUS;
 		  algo = *p++;
 		  keytag = dnskey_keytag(algo, flags, p, rdlen - 4);
@@ -1080,7 +1080,7 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
  GETSHORT(qclass, p);
  if (qtype != T_DS || qclass != class || ntohs(header->ancount) == 0)
-    return STAT_INSECURE;
+    return STAT_BOGUS;
  val = dnssec_validate_reply(now, header, plen, name, keyname, NULL);
@@ -1255,6 +1255,10 @@ static int prove_non_existance_nsec(struct dns_header *header, size_t plen, unsi
      if (rc == 0)
 	{
+	  /* 4035 para 5.4. Last sentence */
+	  if (type == T_NSEC || type == T_RRSIG)
+	    return STAT_SECURE;
 	  /* NSEC with the same name as the RR we're testing, check
 	     that the type in question doesn't appear in the type map */
 	  rdlen -= p - psave;