1335. [bug] When performing a nonexistence proof, the validator

should discard parent NXTs from higher in the DNS.
2002-08-02 05:39:56 +00:00
parent a914318b06
commit b0fbeb1884
2 changed files with 17 additions and 1 deletions
--- a/3
+++ b/3
@@ -15,6 +15,9 @@

 1340.	[bug]		Delay and spread out the startup refresh load.

+1335.	[bug]		When performing a nonexistence proof, the validator
+			should discard parent NXTs from higher in the DNS.
+
 1334.	[bug]		When signing/verifying rdatasets, duplicate rdatas
 			need to be suppressed.

--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: validator.c,v 1.91.2.3 2002/07/15 03:02:56 marka Exp $ */
+/* $Id: validator.c,v 1.91.2.4 2002/08/02 05:39:56 marka Exp $ */

 #include <config.h>

@@ -415,6 +415,19 @@ nxtprovesnonexistence(dns_validator_t *val, dns_name_t *nxtname,
 				      "missing NXT record at name");
 			return (ISC_FALSE);
 		}
+		if (dns_name_issubdomain(val->event->name, nxtname) &&
+		    dns_nxt_typepresent(&rdata, dns_rdatatype_ns) &&
+		    !dns_nxt_typepresent(&rdata, dns_rdatatype_soa))
+		{
+			/*
+			 * This NXT record is from somewhere higher in
+			 * the DNS, and at the parent of a delegation.
+			 * It can not be legitimately used here.
+			 */
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "ignoring parent nxt");
+			return (ISC_FALSE);
+		}
 		result = dns_rdata_tostruct(&rdata, &nxt, NULL);
 		if (result != ISC_R_SUCCESS)
 			return (ISC_FALSE);