From 97c2ea26456f21334ac164f330426dd518067f08 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 14 Feb 2017 17:54:30 +0100 Subject: resolved: fix NSEC proofs for missing TLDs For the wildcard NSEC check we need to generate an "asterisk" domain, by prepend the common ancestor with "*.". So far we did that with a simple strappenda() which is fine for most domains, but doesn't work if the common ancestor is the root domain as we usually write that as "." in normalized form, and "*." joined with "." is "*.." and not "*." as it should be. Hence, use the clean way out, let's just use dns_name_concat() which only exists precisely for this reason, to properly concatenate labels. There's a good chance this actually fixes #5029, as this NSEC proof is triggered by lookups in the TLD "example", which doesn't exist in the Internet. --- src/resolve/resolved-dns-dnssec.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'src/resolve') diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c index 51327105d0..eddab58a81 100644 --- a/src/resolve/resolved-dns-dnssec.c +++ b/src/resolve/resolved-dns-dnssec.c @@ -1710,7 +1710,8 @@ static int dnssec_nsec_covers(DnsResourceRecord *rr, const char *name) { } static int dnssec_nsec_covers_wildcard(DnsResourceRecord *rr, const char *name) { - const char *common_suffix, *wc; + _cleanup_free_ char *wc = NULL; + const char *common_suffix; int r; assert(rr); @@ -1734,7 +1735,10 @@ static int dnssec_nsec_covers_wildcard(DnsResourceRecord *rr, const char *name) if (r <= 0) return r; - wc = strjoina("*.", common_suffix); + r = dns_name_concat("*", common_suffix, &wc); + if (r < 0) + return r; + return dns_name_between(dns_resource_key_name(rr->key), wc, rr->nsec.next_domain_name); } -- cgit v1.2.3-54-g00ecf