ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

Properly build the NSEC/NSEC3 type bit map

Browse Source 
DNSKEY was incorrectly being added to the NESC/NSEC3 type bit map
when it was obscured by the delegation.  This lead to zone verification
failures.

(cherry picked from commit ec3c624814)
This commit is contained in:
Mark Andrews
2024-01-09 12:12:33 +11:00
parent 32589b2be7
commit 29292902c0
1 changed files with 1 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
lib/dns/zoneverify.c
View File

@@ -939,7 +939,6 @@ verifynode(vctx_t *vctx, const dns_name_t *name, dns_dbnode_t *node,
* other than NSEC and DS is not signed at a delegation.
*/
if (rdataset.type != dns_rdatatype_rrsig &&
rdataset.type != dns_rdatatype_dnskey &&
(!delegation || rdataset.type == dns_rdatatype_ds ||
rdataset.type == dns_rdatatype_nsec))
{
@@ -954,9 +953,7 @@ verifynode(vctx_t *vctx, const dns_name_t *name, dns_dbnode_t *node,
if (rdataset.type > maxtype) {
maxtype = rdataset.type;
}
} else if (rdataset.type != dns_rdatatype_rrsig &&
rdataset.type != dns_rdatatype_dnskey)
{
} else if (rdataset.type != dns_rdatatype_rrsig) {
if (rdataset.type == dns_rdatatype_ns) {
dns_nsec_setbit(types, rdataset.type, 1);
if (rdataset.type > maxtype) {