diff options
| author | Daniel Salzman <daniel.salzman@nic.cz> | 2025-01-16 08:18:43 +0100 |
|---|---|---|
| committer | Daniel Salzman <daniel.salzman@nic.cz> | 2025-01-16 10:51:34 +0100 |
| commit | 0be611ae41ba4fea6788875896bb7ec0031328e4 (patch) | |
| tree | d06992a01f5a62c80b040b68124cff1ad32a8e7b | |
| parent | doc: update year to 2025 (diff) | |
| download | knot-0be611ae41ba4fea6788875896bb7ec0031328e4.tar.xz knot-0be611ae41ba4fea6788875896bb7ec0031328e4.zip | |
sem-checks: fix DNAME at the zone apex check if active NSEC3
| -rw-r--r-- | src/knot/zone/semantic-check.c | 4 | ||||
| -rw-r--r-- | tests-extra/tests/zone/dname_apex/data/test.zone | 6 | ||||
| -rw-r--r-- | tests-extra/tests/zone/dname_apex/test.py | 48 |
3 files changed, 56 insertions, 2 deletions
diff --git a/src/knot/zone/semantic-check.c b/src/knot/zone/semantic-check.c index d449c5f77..76155ed94 100644 --- a/src/knot/zone/semantic-check.c +++ b/src/knot/zone/semantic-check.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2024 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) 2025 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -427,7 +427,7 @@ static int check_dname(const zone_node_t *node, semchecks_data_t *data) } /* RFC 6672 Section 2.4 Paragraph 1 */ /* If the NSEC3 node of the apex is present, it is counted as apex's child. */ - unsigned allowed_children = (is_apex && node_nsec3_get(node) != NULL) ? 1 : 0; + unsigned allowed_children = (is_apex && !zone_tree_is_empty(data->zone->nsec3_nodes)) ? 1 : 0; if (node->children > allowed_children) { data->handler->error = true; data->handler->cb(data->handler, data->zone, node->owner, diff --git a/tests-extra/tests/zone/dname_apex/data/test.zone b/tests-extra/tests/zone/dname_apex/data/test.zone new file mode 100644 index 000000000..a63ab998a --- /dev/null +++ b/tests-extra/tests/zone/dname_apex/data/test.zone @@ -0,0 +1,6 @@ +$ORIGIN test. +$TTL 3600 + +@ SOA dns1 hostmaster 2010111201 10800 3600 1209600 7200 + NS ns.example.com. + DNAME example.com. diff --git a/tests-extra/tests/zone/dname_apex/test.py b/tests-extra/tests/zone/dname_apex/test.py new file mode 100644 index 000000000..d8d9dc851 --- /dev/null +++ b/tests-extra/tests/zone/dname_apex/test.py @@ -0,0 +1,48 @@ +#!/usr/bin/env python3 + +'''Test for DNAME check at the zone apex''' + +import random +from dnstest.test import Test + +t = Test() + +master = t.server("knot") +slave = t.server("knot") +ZONE = "test." +zones = t.zone(ZONE, storage=".") + +t.link(zones, master, slave) + +master.zonefile_sync = 0 +master.zonefile_load = "difference-no-serial" +master.zones[ZONE].journal_content = "all" + +if random.choice([False, True]): + master.dnssec(zones[0]).enable = True + if random.choice([False, True]): + master.dnssec(zones[0]).nsec3 = True + +t.start() + +# Check if the zone was accepted via AXFR +serial = master.zones_wait(zones) +slave.zones_wait(zones) +t.xfr_diff(master, slave, zones) +resp = slave.dig(ZONE, "DNAME") +resp.check(rcode="NOERROR", rdata="example.com.") + +# Check if possibly signed zone (upon flush) can be parsed +master.stop() +t.sleep(1) +master.zones[ZONE].zfile.append_rndTXT(ZONE) +master.start() + +# Check if the zone was accepted via IXFR +master.zones_wait(zones, serial) +slave.zones_wait(zones, serial) +t.xfr_diff(master, slave, zones) +resp = slave.dig(ZONE, "DNAME") +resp.check(rcode="NOERROR", rdata="example.com.") + +t.end() |