From db5b0e92b3c23e6f360bd0f44a655b35921a6c98 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 21 Dec 2015 21:06:29 +0100 Subject: resolved: tighten search for NSEC3 RRs a bit Be stricter when searching suitable NSEC3 RRs for proof: generalize the check we use to find suitable NSEC3 RRs, in nsec3_is_good(), and add additional checks, such as checking whether all NSEC3 RRs use the same parameters, have the same suffix and so on. --- src/shared/dns-domain.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'src/shared/dns-domain.c') diff --git a/src/shared/dns-domain.c b/src/shared/dns-domain.c index f3dbf60395..f44e80c9db 100644 --- a/src/shared/dns-domain.c +++ b/src/shared/dns-domain.c @@ -1215,3 +1215,21 @@ int dns_name_count_labels(const char *name) { return (int) n; } + +int dns_name_equal_skip(const char *a, unsigned n_labels, const char *b) { + int r; + + assert(a); + assert(b); + + while (n_labels > 0) { + + r = dns_name_parent(&a); + if (r <= 0) + return r; + + n_labels --; + } + + return dns_name_equal(a, b); +} -- cgit v1.2.3-54-g00ecf