resolved: fix NSEC proofs for missing TLDs
For the wildcard NSEC check we need to generate an "asterisk" domain, by prepend the common ancestor with "*.". So far we did that with a simple strappenda() which is fine for most domains, but doesn't work if the common ancestor is the root domain as we usually write that as "." in normalized form, and "*." joined with "." is "*.." and not "*." as it should be. Hence, use the clean way out, let's just use dns_name_concat() which only exists precisely for this reason, to properly concatenate labels. There's a good chance this actually fixes #5029, as this NSEC proof is triggered by lookups in the TLD "example", which doesn't exist in the Internet.
This commit is contained in:
parent
c775838ad7
commit
97c2ea2645
|
@ -1710,7 +1710,8 @@ static int dnssec_nsec_covers(DnsResourceRecord *rr, const char *name) {
|
||||||
}
|
}
|
||||||
|
|
||||||
static int dnssec_nsec_covers_wildcard(DnsResourceRecord *rr, const char *name) {
|
static int dnssec_nsec_covers_wildcard(DnsResourceRecord *rr, const char *name) {
|
||||||
const char *common_suffix, *wc;
|
_cleanup_free_ char *wc = NULL;
|
||||||
|
const char *common_suffix;
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
assert(rr);
|
assert(rr);
|
||||||
|
@ -1734,7 +1735,10 @@ static int dnssec_nsec_covers_wildcard(DnsResourceRecord *rr, const char *name)
|
||||||
if (r <= 0)
|
if (r <= 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
wc = strjoina("*.", common_suffix);
|
r = dns_name_concat("*", common_suffix, &wc);
|
||||||
|
if (r < 0)
|
||||||
|
return r;
|
||||||
|
|
||||||
return dns_name_between(dns_resource_key_name(rr->key), wc, rr->nsec.next_domain_name);
|
return dns_name_between(dns_resource_key_name(rr->key), wc, rr->nsec.next_domain_name);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue