diff options
| author | Vladimír Čunát <vladimir.cunat@nic.cz> | 2024-05-29 15:07:46 +0200 |
|---|---|---|
| committer | Vladimír Čunát <vladimir.cunat@nic.cz> | 2024-05-29 15:13:49 +0200 |
| commit | 9f82dd096a47f5c8ce6f8158a2892a139083fc8a (patch) | |
| tree | a215d56fe9bf2dce614c5b77c9136b98e38c0e11 /lib | |
| parent | Merge !1544: modules/stats: split IPv4 and IPv6 stats (version 5.x) (diff) | |
| download | knot-resolver-9f82dd096a47f5c8ce6f8158a2892a139083fc8a.tar.xz knot-resolver-9f82dd096a47f5c8ce6f8158a2892a139083fc8a.zip | |
iterate: fix NSEC3 records missing from answer in an edge case
When positive wildcard expansion happens, NSEC(3) records are needed
to prove that the expansion was allowed. If the NSEC3 had too many
iterations, we downgrade the answer to insecure status, but
unintentionally we also dropped the NSEC3 record from the answer.
That was breaking DNSSEC validation of that answer, e.g. when
forwarding to Knot Resolver. The validator needs the NSEC3 -
either to validate the expansion or to determine that it's too expensive.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/layer/iterate.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/layer/iterate.c b/lib/layer/iterate.c index 5d16015e..656bc2d2 100644 --- a/lib/layer/iterate.c +++ b/lib/layer/iterate.c @@ -825,7 +825,10 @@ static int process_answer(knot_pkt_t *pkt, struct kr_request *req) } } else if (!query->parent) { /* Answer for initial query */ - const bool to_wire = ((pkt_class & (PKT_NXDOMAIN|PKT_NODATA)) != 0); + const bool to_wire = ((pkt_class & (PKT_NXDOMAIN|PKT_NODATA)) != 0) + /* We need to cover the case of positive wildcard answer + * with over-limit NSEC3 iterations. */ + || query->flags.DNSSEC_WEXPAND; state = pick_authority(pkt, req, to_wire); if (state != kr_ok()) { return KR_STATE_FAIL; |