Merge branch 'NSEC_nonauth_err_code' into 'master'

superfluous NSEC handling

See merge request knot/knot-dns!1686

7 files changed, 40 insertions, 3 deletions

diff --git a/src/knot/dnssec/nsec-chain.c b/src/knot/dnssec/nsec-chain.c
index b308b29e7..123020a89 100644
--- a/src/knot/dnssec/nsec-chain.c
+++ b/src/knot/dnssec/nsec-chain.c
@@ -448,7 +448,7 @@ static int check_nsec_bitmap(zone_node_t *node, void *ctx)
 	if (shall_no_nsec && nsec != NULL && nsec->count > 0) {
 		data->update->validation_hint.node = nsec_node->owner;
 		data->update->validation_hint.rrtype = data->nsec_type;
-		return KNOT_DNSSEC_ENSEC_BITMAP;
+		return KNOT_DNSSEC_EXTRA_NSEC;
 	}
 	if (shall_no_nsec) {
 		return KNOT_EOK;
@@ -765,7 +765,7 @@ int knot_nsec_check_chain(zone_update_t *update)
 	if (!zone_tree_is_empty(update->new_cont->nsec3_nodes)) {
 		update->validation_hint.node = update->zone->name;
 		update->validation_hint.rrtype = KNOT_RRTYPE_NSEC3;
-		return KNOT_DNSSEC_ENSEC_BITMAP;
+		return KNOT_DNSSEC_EXTRA_NSEC;
 	}
 
 	nsec_chain_iterate_data_t data = { 0, update, KNOT_RRTYPE_NSEC };
@@ -784,7 +784,7 @@ int knot_nsec_check_chain_fix(zone_update_t *update)
 	if (!zone_tree_is_empty(update->new_cont->nsec3_nodes)) {
 		update->validation_hint.node = update->zone->name;
 		update->validation_hint.rrtype = KNOT_RRTYPE_NSEC3;
-		return KNOT_DNSSEC_ENSEC_BITMAP;
+		return KNOT_DNSSEC_EXTRA_NSEC;
 	}
 
 	nsec_chain_iterate_data_t data = { 0, update, KNOT_RRTYPE_NSEC };
diff --git a/src/knot/zone/semantic-check.c b/src/knot/zone/semantic-check.c
index ab61d06ff..3d085d875 100644
--- a/src/knot/zone/semantic-check.c
+++ b/src/knot/zone/semantic-check.c
@@ -60,6 +60,8 @@ static const char *error_messages[SEM_ERR_UNKNOWN + 1] = {
 	"inconsistent NSEC(3) chain",
 	[SEM_ERR_NSEC3_INSECURE_DELEGATION_OPT] =
 	"wrong NSEC3 opt-out",
+	[SEM_ERR_EXTRA_NSEC] =
+	"superfluous NSEC(3)",
 
 	[SEM_ERR_NSEC3PARAM_RDATA_FLAGS] =
 	"invalid flags in NSEC3PARAM",
@@ -506,6 +508,8 @@ static sem_error_t err_dnssec2sem(int ret, uint16_t rrtype, char *info, size_t l
 		return SEM_ERR_NSEC3_INSECURE_DELEGATION_OPT;
 	case KNOT_DNSSEC_EKEYTAG_LIMIT:
 		return SEM_ERR_DNSKEY_KEYTAG_LIMIT;
+	case KNOT_DNSSEC_EXTRA_NSEC:
+		return SEM_ERR_EXTRA_NSEC;
 	default:
 		return SEM_ERR_UNKNOWN;
 	}
diff --git a/src/knot/zone/semantic-check.h b/src/knot/zone/semantic-check.h
index f95d3ceca..a0b1d21d8 100644
--- a/src/knot/zone/semantic-check.h
+++ b/src/knot/zone/semantic-check.h
@@ -75,6 +75,8 @@ typedef enum {
 	SEM_ERR_CDNSKEY_NO_CDS,
 	SEM_ERR_CDNSKEY_INVALID_DELETE,
 
+	SEM_ERR_EXTRA_NSEC,
+
 	// General error!
 	SEM_ERR_UNKNOWN
 } sem_error_t;
diff --git a/src/libknot/errcode.h b/src/libknot/errcode.h
index 21e0bfecc..3ee326ca1 100644
--- a/src/libknot/errcode.h
+++ b/src/libknot/errcode.h
@@ -180,6 +180,7 @@ enum knot_error {
 	KNOT_NO_READY_KEY,
 	KNOT_ESOON_EXPIRE,
 	KNOT_DNSSEC_EKEYTAG_LIMIT,
+	KNOT_DNSSEC_EXTRA_NSEC,
 
 	KNOT_ERROR_MAX = -501
 };
diff --git a/src/libknot/error.c b/src/libknot/error.c
index 14593f8b4..59f0a7a40 100644
--- a/src/libknot/error.c
+++ b/src/libknot/error.c
@@ -179,6 +179,7 @@ static const struct error errors[] = {
 	{ KNOT_NO_READY_KEY,          "no key ready for submission" },
 	{ KNOT_ESOON_EXPIRE,          "oncoming RRSIG expiration" },
 	{ KNOT_DNSSEC_EKEYTAG_LIMIT,  "many keys with equal keytag" },
+	{ KNOT_DNSSEC_EXTRA_NSEC,     "superfluous NSEC(3)" },
 
 	/* Terminator */
 	{ KNOT_ERROR, NULL }
diff --git a/tests/knot/semantic_check_data/nsec_nonauth.invalid b/tests/knot/semantic_check_data/nsec_nonauth.invalid
new file mode 100644
index 000000000..ce5ee4d6d
--- /dev/null
+++ b/tests/knot/semantic_check_data/nsec_nonauth.invalid
@@ -0,0 +1,27 @@
+;; Zone dump (Knot DNS 3.4.dev0+1720175447.11b935381)
+example.com.        	3600	SOA	dns1.example.com. hostmaster.example.com. 2010111214 21600 3600 604800 86400
+example.com.        	3600	NS	dns1.example.com.
+example.com.        	3600	DNSKEY	256 3 13 4t69Zp7W+FQCRVjSjaLlmYuzHp14ljBcUSEcpfSwtl3w6LVb+vzPdjhbdX2Mmzdg+MZBWwnRMDspGl16gmoXig==
+example.com.        	3600	DNSKEY	257 3 13 kamWKsByy8ilBkCfW1fZ9hn+At61Zjf90Ou6lshQeXS3WkeJO/5vuRNZdjv9C5tyb5CBA2QOvSM1Eg/7Cx4ztA==
+example.com.        	0	CDS	3310 13 2 E9C99BE505F97345832D2433034A79ED22EB062F99666A026818F7D35B710821
+example.com.        	0	CDNSKEY	257 3 13 kamWKsByy8ilBkCfW1fZ9hn+At61Zjf90Ou6lshQeXS3WkeJO/5vuRNZdjv9C5tyb5CBA2QOvSM1Eg/7Cx4ztA==
+deleg.example.com.  	3600	A	127.0.0.1
+deleg.example.com.  	3600	NS	deleg.example.com.
+dns1.example.com.   	3600	A	192.0.2.1
+;; DNSSEC signatures
+example.com.        	3600	RRSIG	NS 13 2 3600 20240725130051 20240711113051 60718 example.com. 5KpS/T4LhDDAm/rtOUZ7R8ScH/mMZpWFcR+054OicV4t4JPGoqwgmogroFRd4k/WOF7cmQ31CEvN52Pga7kf9Q==
+example.com.        	3600	RRSIG	SOA 13 2 3600 20240725125558 20240711112558 60718 example.com. iLCQshkoeAPmc8ZP/0ynzw0zbIyZeTlomFunmsZuu//ZbGwYOC1gwRpHzfLpgeYx3jTD4qgUKoJuIzEnfrowrw==
+example.com.        	3600	RRSIG	NSEC 13 2 3600 20240725130247 20240711113247 60718 example.com. E+LTzopR5J1G+2RWDrUcGwOlzFtgUf4GwQltM1F4Z8AFSK3ZEk6xYbbhX2WlIQYyDodxcwgy08kuaeNHegv00w==
+example.com.        	3600	RRSIG	DNSKEY 13 2 3600 20240725125558 20240711112558 3310 example.com. dhFqMNl6AXJu/6uBWjNFjnf1JP8dbOu/VpRHAf4NwM3RlvUCSRZ6qZVQWA0/BvJ+E4iZyfsRYCDTaXEm7i8ZKA==
+example.com.        	0	RRSIG	CDS 13 2 0 20240725125558 20240711112558 3310 example.com. fWiN+LE02kX+kazNZbxBd6BJ88bq/IiwQ6+RsOEYsuC9yFxCa/9dcMF4Z9GN/qn5JFFfnJodQWR0O5iKFE+MBQ==
+example.com.        	0	RRSIG	CDNSKEY 13 2 0 20240725125558 20240711112558 3310 example.com. tsJ9oklWeJUWOnVW84GIKo/nVJNaqd/PWTVWaRBamSmJwiZusppsBxNTGqsQP+2W2cM1FtiuLiDsMm/zWfrppg==
+deleg.example.com.  	3600	RRSIG	NSEC 13 3 3600 20240725130247 20240711113247 60718 example.com. 5mvvVAdpVBKEtGxxFU3fKXl8pMGbyuqwMolOV2eRicPo851BZSeY3Cn1eCCHMn5E4GBglTW6Ugna5AnPoYKVRA==
+dns1.example.com.   	3600	RRSIG	A 13 3 3600 20240725125558 20240711112558 60718 example.com. O26Wir77dSZhE6vmuN2ktFvB+5DHxti3EeHUt56bByREQBHWVrZfLh6KJnmkzR9r7AnwQbIDrcP/9QYXK8Mjgw==
+dns1.example.com.   	3600	RRSIG	NSEC 13 3 3600 20240725130051 20240711113051 60718 example.com. wdfKi+OK0NDMUgrBZ6HBFNRGfXdFGh/OAaQJYbmkEuU/tPmp2Qhpb6EI0clFwALpa5H0MetTIRCKrpT2KlDLDQ==
+;; DNSSEC NSEC chain
+example.com.        	3600	NSEC	deleg.example.com. NS SOA RRSIG NSEC DNSKEY CDS CDNSKEY
+deleg.example.com.  	3600	NSEC	dns1.example.com. NS RRSIG NSEC
+dns1.example.com.   	3600	NSEC	example.com. A RRSIG NSEC
+
+;; NSEC for a node for which this zone is not authoritative
+nonauth.deleg.example.com.  	3600	NSEC	dns1.example.com. NS RRSIG NSEC
diff --git a/tests/knot/test_semantic_check.in b/tests/knot/test_semantic_check.in
index c8a4d1c1a..e91e9dc59 100644
--- a/tests/knot/test_semantic_check.in
+++ b/tests/knot/test_semantic_check.in
@@ -68,6 +68,7 @@ NSEC3PARAM_FLAGS="invalid flags in NSEC3PARAM"
 NSEC_NONE="missing NSEC\(3\) record"
 NSEC_RDATA_BITMAP="wrong NSEC\(3\) bitmap"
 NSEC_RDATA_CHAIN="inconsistent NSEC\(3\) chain"
+NSEC_EXTRA="superfluous NSEC\(3\)"
 NSEC3_INSECURE_DELEGATION_OPT="wrong NSEC3 opt-out"
 NS_APEX="missing NS at the zone apex"
 NS_GLUE="missing glue record"
@@ -128,6 +129,7 @@ expect_error "cdnskey.orphan.cdnskey" 0 1 "$CDNSKEY_NO_CDS"
 expect_error "cdnskey.delete.invalid.cds" 0 1 "$CDNSKEY_DELETE"
 expect_error "cdnskey.delete.invalid.cdnskey" 0 1 "$CDNSKEY_DELETE"
 expect_error "delegation.signed" 0 1 "$NSEC_RDATA_BITMAP"
+expect_error "nsec_nonauth.invalid" 0 1 "$NSEC_EXTRA"
 
 test_correct "soa.duplicate"
 test_correct "rrsig_ttl.signed"