aboutsummaryrefslogtreecommitdiff
path: root/external/unbound/validator/val_nsec.c
diff options
context:
space:
mode:
Diffstat (limited to 'external/unbound/validator/val_nsec.c')
-rw-r--r--external/unbound/validator/val_nsec.c28
1 files changed, 25 insertions, 3 deletions
diff --git a/external/unbound/validator/val_nsec.c b/external/unbound/validator/val_nsec.c
index bdfe3c8fa..f104a347c 100644
--- a/external/unbound/validator/val_nsec.c
+++ b/external/unbound/validator/val_nsec.c
@@ -1,5 +1,5 @@
/*
- * validator/val_nsec.c - validator NSEC denial of existance functions.
+ * validator/val_nsec.c - validator NSEC denial of existence functions.
*
* Copyright (c) 2007, NLnet Labs. All rights reserved.
*
@@ -38,7 +38,7 @@
*
* This file contains helper functions for the validator module.
* The functions help with NSEC checking, the different NSEC proofs
- * for denial of existance, and proofs for presence of types.
+ * for denial of existence, and proofs for presence of types.
*/
#include "config.h"
#include "validator/val_nsec.h"
@@ -279,7 +279,7 @@ val_nsec_prove_nodata_dsreply(struct module_env* env, struct val_env* ve,
return sec_status_insecure;
}
- /* NSEC proof did not conlusively point to DS or no DS */
+ /* NSEC proof did not conclusively point to DS or no DS */
return sec_status_unchecked;
}
@@ -340,6 +340,28 @@ int nsec_proves_nodata(struct ub_packed_rrset_key* nsec,
*wc = ce;
return 1;
}
+ } else {
+ /* See if the next owner name covers a wildcard
+ * empty non-terminal. */
+ while (dname_strict_subdomain_c(nm, nsec->rk.dname)) {
+ /* wildcard does not apply if qname below
+ * the name that exists under the '*' */
+ if (dname_subdomain_c(qinfo->qname, nm))
+ break;
+ /* but if it is a wildcard and qname is below
+ * it, then the wildcard applies. The wildcard
+ * is an empty nonterminal. nodata proven. */
+ if (dname_is_wild(nm)) {
+ size_t ce_len = ln;
+ uint8_t* ce = nm;
+ dname_remove_label(&ce, &ce_len);
+ if(dname_strict_subdomain_c(qinfo->qname, ce)) {
+ *wc = ce;
+ return 1;
+ }
+ }
+ dname_remove_label(&nm, &ln);
+ }
}
/* Otherwise, this NSEC does not prove ENT and is not a