Commit fec79983 authored by Mark Andrews's avatar Mark Andrews
Browse files

3942. [bug] Wildcard responses from a optout range should be

                        marked as insecure. [RT #37072]
parent c3d02211
3942. [bug] Wildcard responses from a optout range should be
marked as insecure. [RT #37072]
3941. [doc] Include the BIND version number in the ARM. [RT #37067]
3940. [func] "rndc nta" now allows negative trust anchors to be
......
......@@ -271,7 +271,7 @@ $DIG $DIGOPTS a.wild.optout.example. \
stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n
stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n
$PERL ../digcomp.pl dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
......
......@@ -2071,6 +2071,9 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
if ((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0)
(*logit)(arg, ISC_LOG_DEBUG(3),
"NSEC3 indicates optout");
else
(*logit)(arg, ISC_LOG_DEBUG(3),
"NSEC3 indicates secure range");
*optout =
ISC_TF(nsec3.flags & DNS_NSEC3FLAG_OPTOUT);
}
......
......@@ -2805,7 +2805,7 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
if (!NEEDNODATA(val) && !NEEDNOWILDCARD(val) && NEEDNOQNAME(val)) {
if (!FOUNDNOQNAME(val))
findnsec3proofs(val);
if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val)) {
if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val) && !FOUNDOPTOUT(val)) {
validator_log(val, ISC_LOG_DEBUG(3),
"marking as secure, noqname proof found");
marksecure(val->event);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment