From 8ef23f9fb07a57d2f76e35e992f9c9d152fbf2b3 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 6 Jul 2018 15:07:59 +1000 Subject: [PATCH] the presence of a DNAME record proves that the name does not exist in the zone but as we don't want to use that for NXDMOMAIN return DNS_R_DNAME from dns_nsec_noexistnodata --- lib/dns/include/dns/nsec.h | 3 +++ lib/dns/nsec.c | 12 ++++++++++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/lib/dns/include/dns/nsec.h b/lib/dns/include/dns/nsec.h index da1d5d695a..623dfb70a8 100644 --- a/lib/dns/include/dns/nsec.h +++ b/lib/dns/include/dns/nsec.h @@ -101,6 +101,9 @@ dns_nsec_noexistnodata(dns_rdatatype_t type, const dns_name_t *name, * or we can determine whether there is data or not at the name. * If the name does not exist return the wildcard name. * + * Return DNS_R_DNAME when the NSEC indicates that name is covered by + * a DNAME. 'wild' is not set in this case. + * * Return ISC_R_IGNORE when the NSEC is not the appropriate one. */ diff --git a/lib/dns/nsec.c b/lib/dns/nsec.c index 991391b7a6..ad081d89fc 100644 --- a/lib/dns/nsec.c +++ b/lib/dns/nsec.c @@ -374,8 +374,7 @@ dns_nsec_noexistnodata(dns_rdatatype_t type, const dns_name_t *name, } if (relation == dns_namereln_subdomain && - (dns_nsec_typepresent(&rdata, dns_rdatatype_dname) || - dns_nsec_typepresent(&rdata, dns_rdatatype_ns)) && + dns_nsec_typepresent(&rdata, dns_rdatatype_ns) && !dns_nsec_typepresent(&rdata, dns_rdatatype_soa)) { /* @@ -388,6 +387,15 @@ dns_nsec_noexistnodata(dns_rdatatype_t type, const dns_name_t *name, return (ISC_R_IGNORE); } + if (relation == dns_namereln_subdomain && + dns_nsec_typepresent(&rdata, dns_rdatatype_dname)) + { + (*logit)(arg, ISC_LOG_DEBUG(3), + "nsec proves covered by dname"); + *exists = ISC_FALSE; + return (DNS_R_DNAME); + } + result = dns_rdata_tostruct(&rdata, &nsec, NULL); if (result != ISC_R_SUCCESS) return (result);