From ab481675f98d3d3f12e7e48ba6d2159123b9c7bf Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 15 Jan 2016 02:21:22 +0100
Subject: resolved: complete NSEC non-existance proofs

This fills in the last few gaps:

- When checking if a domain is non-existing, also check that no wildcard for it exists
- Ensure we don't base "covering" tests on NSEC RRs from a parent zone
- Refuse to accept expanded wildcard NSEC RRs for absence proofs.
---
 src/resolve/resolved-dns-rr.c | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

(limited to 'src/resolve/resolved-dns-rr.c')

diff --git a/src/resolve/resolved-dns-rr.c b/src/resolve/resolved-dns-rr.c
index 53fd708365..02c6b239d5 100644
--- a/src/resolve/resolved-dns-rr.c
+++ b/src/resolve/resolved-dns-rr.c
@@ -1136,6 +1136,8 @@ int dns_resource_record_is_signer(DnsResourceRecord *rr, const char *zone) {
         const char *signer;
         int r;
 
+        assert(rr);
+
         r = dns_resource_record_signer(rr, &signer);
         if (r < 0)
                 return r;
@@ -1143,6 +1145,29 @@ int dns_resource_record_is_signer(DnsResourceRecord *rr, const char *zone) {
         return dns_name_equal(zone, signer);
 }
 
+int dns_resource_record_is_synthetic(DnsResourceRecord *rr) {
+        int r;
+
+        assert(rr);
+
+        /* Returns > 0 if the RR is generated from a wildcard, and is not the asterisk name itself */
+
+        if (rr->n_skip_labels_source == (unsigned) -1)
+                return -ENODATA;
+
+        if (rr->n_skip_labels_source == 0)
+                return 0;
+
+        if (rr->n_skip_labels_source > 1)
+                return 1;
+
+        r = dns_name_startswith(DNS_RESOURCE_KEY_NAME(rr->key), "*");
+        if (r < 0)
+                return r;
+
+        return !r;
+}
+
 static void dns_resource_record_hash_func(const void *i, struct siphash *state) {
         const DnsResourceRecord *rr = i;
 
-- 
cgit v1.2.3-54-g00ecf