projects / platform / upstream / systemd.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: d9cd8ee) | patch
resolved: rework NSEC covering tests
authorLennart Poettering <lennart@poettering.net>
Fri, 8 Jun 2018 17:29:05 +0000 (19:29 +0200)
committerZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Mon, 11 Jun 2018 08:43:14 +0000 (10:43 +0200)
commit0b491556ac79950624849d218e01204d0452cc41
tree6b07bd80da4e838d1d5d36d6a074b158fb78bfb9tree | snapshot
parentd9cd8ee65a128c00ef8387b4c7306d74ac13bd04commit | diff
resolved: rework NSEC covering tests

This makes two changes: first of all we will now explicitly check
whether a domain to test against an NSEC record is actually below the
signer's name. This is relevant for NSEC records that chain up the end
and the beginning of a zone: we shouldn't alow that NSEC record to match
against domains outside of the zone.

This also fixes how we handle NSEC checks for domains that are prefixes
of the NSEC RR domain itself, fixing #8164 which triggers this specific
case. The non-wildcard NSEC check is simplified for that, we can
directly make our between check, there's no need to find the "Next
Closer" first, as the between check should not be affected by additional
prefixes. For the wild card NSEC check we'll prepend the asterisk in
this case to the NSEC RR itself to make a correct check.

Fixes: #8164
src/resolve/resolved-dns-dnssec.c diff | blob | history
src/resolve/test-dnssec-complex.c diff | blob | history
src/test/test-dns-domain.c diff | blob | history
Domain: System / System Framework;