ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

Properly build the NSEC/NSEC3 type bit map

Browse Source 
DNSKEY was incorrectly being added to the NESC/NSEC3 type bit map
when it was obscured by the delegation.  This lead to zone verification
failures.
This commit is contained in:
Mark Andrews
2024-01-09 12:12:33 +11:00
parent e84615629f
commit ec3c624814
1 changed files with 1 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
lib/dns/zoneverify.c
View File

@@ -940,7 +940,6 @@ verifynode(vctx_t *vctx, const dns_name_t *name, dns_dbnode_t *node,
* other than NSEC and DS is not signed at a delegation.
*/
if (rdataset.type != dns_rdatatype_rrsig &&
rdataset.type != dns_rdatatype_dnskey &&
(!delegation || rdataset.type == dns_rdatatype_ds ||
rdataset.type == dns_rdatatype_nsec))
{
@@ -955,9 +954,7 @@ verifynode(vctx_t *vctx, const dns_name_t *name, dns_dbnode_t *node,
if (rdataset.type > maxtype) {
maxtype = rdataset.type;
}
} else if (rdataset.type != dns_rdatatype_rrsig &&
rdataset.type != dns_rdatatype_dnskey)
{
} else if (rdataset.type != dns_rdatatype_rrsig) {
if (rdataset.type == dns_rdatatype_ns) {
dns_nsec_setbit(types, rdataset.type, 1);
if (rdataset.type > maxtype) {