resolved: on negative NODATA replies, properly deal with empty non-terminals

empty non-terminals generally lack NSEC RRs, which means we can deduce their existance only from the fact that there are other RRs that contain them in their suffix. Specifically, the NSEC proof for NODATA on ENTs works by sending the NSEC whose next name is a suffix of the queried name to the client. Use this information properly.
author: Lennart Poettering <lennart@poettering.net> 2016-01-14 20:12:29 +0100
committer: Lennart Poettering <lennart@poettering.net> 2016-01-17 20:47:46 +0100
commit: b9282bc12840aff500a334836226f6b8df24926d (patch)
tree: c39fcee6f4a68f984107df899639e88a718776bb /src/resolve
parent: 96bb76734d8e1c8520a2456901079610813eac6d (diff)
1 files changed, 58 insertions, 5 deletions
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
index 1ee4aa5b36..69ed7afaf7 100644
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@@ -1617,10 +1617,47 @@ found_closest_encloser:
         return 0;
 }
 
+static int dnssec_nsec_in_path(DnsResourceRecord *rr, const char *name) {
+        const char *nn, *common_suffix;
+        int r;
+
+        assert(rr);
+        assert(rr->key->type == DNS_TYPE_NSEC);
+
+        /* Checks whether the specified nsec RR indicates that name is an empty non-terminal (ENT)
+         *
+         * A couple of examples:
+         *
+         *      NSEC             bar →   waldo.foo.bar: indicates that foo.bar exists and is an ENT
+         *      NSEC   waldo.foo.bar → yyy.zzz.xoo.bar: indicates that xoo.bar and zzz.xoo.bar exist and are ENTs
+         *      NSEC yyy.zzz.xoo.bar →             bar: indicates pretty much nothing about ENTs
+         */
+
+        /* First, determine parent of next domain. */
+        nn = rr->nsec.next_domain_name;
+        r = dns_name_parent(&nn);
+        if (r <= 0)
+                return r;
+
+        /* If the name we just determined is not equal or child of the name we are interested in, then we can't say
+         * anything at all. */
+        r = dns_name_endswith(nn, name);
+        if (r <= 0)
+                return r;
+
+        /* If the name we we are interested in is not a prefix of the common suffix of the NSEC RR's owner and next domain names, then we can't say anything either. */
+        r = dns_name_common_suffix(DNS_RESOURCE_KEY_NAME(rr->key), rr->nsec.next_domain_name, &common_suffix);
+        if (r < 0)
+                return r;
+
+        return dns_name_endswith(name, common_suffix);
+}
+
 int dnssec_nsec_test(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *result, bool *authenticated, uint32_t *ttl) {
-        DnsResourceRecord *rr;
         bool have_nsec3 = false;
+        DnsResourceRecord *rr;
         DnsAnswerFlags flags;
+        const char *name;
         int r;
 
         assert(key);
@@ -1628,6 +1665,8 @@ int dnssec_nsec_test(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *r
 
         /* Look for any NSEC/NSEC3 RRs that say something about the specified key. */
 
+        name = DNS_RESOURCE_KEY_NAME(key);
+
         DNS_ANSWER_FOREACH_FLAGS(rr, flags, answer) {
 
                 if (rr->key->class != key->class)
@@ -1637,7 +1676,7 @@ int dnssec_nsec_test(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *r
 
                 case DNS_TYPE_NSEC:
 
-                        r = dns_name_equal(DNS_RESOURCE_KEY_NAME(rr->key), DNS_RESOURCE_KEY_NAME(key));
+                        r = dns_name_equal(DNS_RESOURCE_KEY_NAME(rr->key), name);
                         if (r < 0)
                                 return r;
                         if (r > 0) {
@@ -1669,11 +1708,13 @@ int dnssec_nsec_test(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *r
                                 return 0;
                         }
 
-                        r = dns_name_between(DNS_RESOURCE_KEY_NAME(rr->key), DNS_RESOURCE_KEY_NAME(key), rr->nsec.next_domain_name);
+                        /* Check if the name we are looking for is an empty non-terminal within the owner or next name
+                         * of the NSEC RR. */
+                        r = dnssec_nsec_in_path(rr, name);
                         if (r < 0)
                                 return r;
                         if (r > 0) {
-                                *result = DNSSEC_NSEC_NXDOMAIN;
+                                *result = DNSSEC_NSEC_NODATA;
 
                                 if (authenticated)
                                         *authenticated = flags & DNS_ANSWER_AUTHENTICATED;
@@ -1682,7 +1723,19 @@ int dnssec_nsec_test(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *r
 
                                 return 0;
                         }
-                        break;
+
+                        r = dns_name_between(DNS_RESOURCE_KEY_NAME(rr->key), name, rr->nsec.next_domain_name);
+                        if (r < 0)
+                                return r;
+                        if (r > 0)
+                                *result = DNSSEC_NSEC_NXDOMAIN;
+
+                        if (authenticated)
+                                *authenticated = flags & DNS_ANSWER_AUTHENTICATED;
+                        if (ttl)
+                                *ttl = rr->ttl;
+
+                        return 0;
 
                 case DNS_TYPE_NSEC3:
                         have_nsec3 = true;
author	Lennart Poettering <lennart@poettering.net>	2016-01-14 20:12:29 +0100
committer	Lennart Poettering <lennart@poettering.net>	2016-01-17 20:47:46 +0100
commit	b9282bc12840aff500a334836226f6b8df24926d (patch)
tree	c39fcee6f4a68f984107df899639e88a718776bb /src/resolve
parent	96bb76734d8e1c8520a2456901079610813eac6d (diff)