From db5b0e92b3c23e6f360bd0f44a655b35921a6c98 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 21 Dec 2015 21:06:29 +0100
Subject: resolved: tighten search for NSEC3 RRs a bit

Be stricter when searching suitable NSEC3 RRs for proof: generalize the
check we use to find suitable NSEC3 RRs, in nsec3_is_good(), and add
additional checks, such as checking whether all NSEC3 RRs use the same
parameters, have the same suffix and so on.
---
 src/shared/dns-domain.c | 18 ++++++++++++++++++
 src/shared/dns-domain.h |  2 ++
 2 files changed, 20 insertions(+)

(limited to 'src/shared')

diff --git a/src/shared/dns-domain.c b/src/shared/dns-domain.c
index f3dbf60395..f44e80c9db 100644
--- a/src/shared/dns-domain.c
+++ b/src/shared/dns-domain.c
@@ -1215,3 +1215,21 @@ int dns_name_count_labels(const char *name) {
 
         return (int) n;
 }
+
+int dns_name_equal_skip(const char *a, unsigned n_labels, const char *b) {
+        int r;
+
+        assert(a);
+        assert(b);
+
+        while (n_labels > 0) {
+
+                r = dns_name_parent(&a);
+                if (r <= 0)
+                        return r;
+
+                n_labels --;
+        }
+
+        return dns_name_equal(a, b);
+}
diff --git a/src/shared/dns-domain.h b/src/shared/dns-domain.h
index 7b509729fb..dd8ae3ac98 100644
--- a/src/shared/dns-domain.h
+++ b/src/shared/dns-domain.h
@@ -102,3 +102,5 @@ int dns_service_split(const char *joined, char **name, char **type, char **domai
 
 int dns_name_suffix(const char *name, unsigned n_labels, const char **ret);
 int dns_name_count_labels(const char *name);
+
+int dns_name_equal_skip(const char *a, unsigned n_labels, const char *b);
-- 
cgit v1.2.3-54-g00ecf