Bugzilla – Bug 716
NODATA with empty non-terminals and wildcards
Last modified: 2015-10-29 14:08:42 CET
Created attachment 299 [details]
It seems that unbound does not check whether the provided NSEC in a NODATA answer covers an empty non-terminal wildcard domain name [https://tools.ietf.org/html/rfc4592#section-4.9].
See attached patch for a suggested fix.
This is for foo.example NSEC bar.*.foo.example type wildcards? We must also make sure that the qname is not below bar.*.foo.example in the tests, because the wildcard does not apply at and under the 'bar' name.
To fix that, before the dname_is_wild(nm) check, this?
/* if query name underneath name inside wildcard, wildcard does not apply */
if(dname_subdomain_c(qname, nm)) break;
Thanks for the report!
> We must also make sure that the qname is not below bar.*.foo.example in the
> tests, because the wildcard does not apply at and under the 'bar' name.
Yes, another corner case. Good catch!
Fix committed. Thank you for the report!
Best regards, Wouter