detect when closest-encloser name is too long

there was a database bug in which dns_db_find() could get a partial match for the query name, but still set foundname to match the full query name. this triggered an assertion when query_addwildcardproof() assumed that foundname would be shorter. the database bug has been fixed, but in case it happens again, we can just copy the name instead of splitting it. we will also log a warning that the closest-encloser name was invalid.
2025-08-30 22:15:20 +00:00 · 2025-01-08 18:08:05 -08:00
parent 5da31b753a
commit 1f4ba71f56
1 changed files with 9 additions and 1 deletions
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -11407,7 +11407,15 @@ again:
 		 * Add no qname proof.
 		 */
 		labels = dns_name_countlabels(cname) + 1;
-		if (dns_name_countlabels(name) == labels) {
+		if (labels > maxlabels) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+			dns_name_format(cname, namebuf, sizeof(namebuf));
+			ns_client_log(qctx->client, DNS_LOGCATEGORY_DNSSEC,
+				      NS_LOGMODULE_QUERY, ISC_LOG_WARNING,
+				      "closest-encloser name too long: %s",
+				      namebuf);
+			dns_name_copy(name, wname);
+		} else if (labels == maxlabels) {
 			dns_name_copy(name, wname);
 		} else {
 			dns_name_split(name, labels, NULL, wname);