Bug 716 - NODATA with empty non-terminals and wildcards
NODATA with empty non-terminals and wildcards
Status: RESOLVED FIXED
Product: unbound
Classification: Unclassified
Component: server
1.5.6
x86_64 Linux
: P5 normal
Assigned To: unbound team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-28 11:47 CET by Matthijs Mekking
Modified: 2015-10-29 14:08 CET (History)
2 users (show)

See Also:


Attachments
Suggested fix (804 bytes, text/plain)
2015-10-28 11:47 CET, Matthijs Mekking
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Matthijs Mekking 2015-10-28 11:47:22 CET
Created attachment 299 [details]
Suggested fix

Hi,

It seems that unbound does not check whether the provided NSEC in a NODATA answer covers an empty non-terminal wildcard domain name [https://tools.ietf.org/html/rfc4592#section-4.9].

See attached patch for a suggested fix.

Best regards,
Matthijs
Comment 1 Wouter Wijngaards 2015-10-28 12:00:25 CET
Hi Matthijs,

This is for foo.example NSEC bar.*.foo.example type wildcards?  We must also make sure that the qname is not below bar.*.foo.example in the tests, because the wildcard does not apply at and under the 'bar' name.

To fix that, before the dname_is_wild(nm) check, this? 
/* if query name underneath name inside wildcard, wildcard does not apply */
if(dname_subdomain_c(qname, nm)) break;

Thanks for the report!
Wouter
Comment 2 Matthijs Mekking 2015-10-28 13:18:55 CET
> We must also make sure that the qname is not below bar.*.foo.example in the
> tests, because the wildcard does not apply at and under the 'bar' name.

Yes, another corner case. Good catch!
Comment 3 Wouter Wijngaards 2015-10-29 14:08:42 CET
Hi Matthijs,

Fix committed.  Thank you for the report!

Best regards, Wouter