resolved: implement the full NSEC and NSEC3 postive wildcard proofs

author: Lennart Poettering <lennart@poettering.net> 2016-01-13 02:45:28 +0100
committer: Lennart Poettering <lennart@poettering.net> 2016-01-13 20:21:57 +0100
commit: e926785a1feff01901e6298261a9f635791d3b17 (patch)
tree: b038c3df03d5c6b6fae6db1201310f713a8cacc1 /src/resolve/resolved-dns-transaction.c
parent: e8233bce196a14fa3ebde2969594fcdfa4404e19 (diff)
1 files changed, 11 insertions, 15 deletions
diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
index 9ee10f21c8..c7d2d82ecf 100644
--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
@@ -2531,28 +2531,24 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) {
 
                         if (result == DNSSEC_VALIDATED_WILDCARD) {
                                 bool authenticated = false;
-                                const char *suffix;
+                                const char *source;
 
-                                /* This RRset validated, but as a wildcard. This means we need to proof via NSEC/NSEC3
-                                 * that no matching non-wildcard RR exists.
-                                 *
-                                 * See RFC 5155, Section 8.8 and RFC 4035, Section 5.3.4*/
+                                /* This RRset validated, but as a wildcard. This means we need to prove via NSEC/NSEC3
+                                 * that no matching non-wildcard RR exists.*/
 
-                                r = dns_name_suffix(DNS_RESOURCE_KEY_NAME(rr->key), rrsig->rrsig.labels, &suffix);
+                                /* First step, determine the source of synthesis */
+                                r = dns_name_suffix(DNS_RESOURCE_KEY_NAME(rr->key), rrsig->rrsig.labels, &source);
                                 if (r < 0)
                                         return r;
                                 if (r == 0)
                                         return -EBADMSG;
 
-                                r = dns_name_parent(&suffix);
-                                if (r < 0)
-                                        return r;
-                                if (r == 0)
-                                        return -EBADMSG;
-
-                                r = dnssec_nsec_test_between(validated, DNS_RESOURCE_KEY_NAME(rr->key), suffix, &authenticated);
-                                if (r < 0)
-                                        return r;
+                                r = dnssec_test_positive_wildcard(
+                                                validated,
+                                                DNS_RESOURCE_KEY_NAME(rr->key),
+                                                source,
+                                                rrsig->rrsig.signer,
+                                                &authenticated);
 
                                 /* Unless the NSEC proof showed that the key really doesn't exist something is off. */
                                 if (r == 0)
author	Lennart Poettering <lennart@poettering.net>	2016-01-13 02:45:28 +0100
committer	Lennart Poettering <lennart@poettering.net>	2016-01-13 20:21:57 +0100
commit	e926785a1feff01901e6298261a9f635791d3b17 (patch)
tree	b038c3df03d5c6b6fae6db1201310f713a8cacc1 /src/resolve/resolved-dns-transaction.c
parent	e8233bce196a14fa3ebde2969594fcdfa4404e19 (diff)