diff options
| author | Marc van der Wal <marc.vanderwal@afnic.fr> | 2023-11-13 14:13:37 +0100 |
|---|---|---|
| committer | Marc van der Wal <marc.vanderwal@afnic.fr> | 2023-11-14 11:06:38 +0100 |
| commit | 0c465bad3373d622853a5b2e256cd65a6569a2fb (patch) | |
| tree | 29bb9ec54e6a7e9366422b0125d7fa8231cc1316 /t | |
| parent | b4f3b607626d29b1e7b8a0d32921336c7b10a08b (diff) | |
Zonemaster::LDNS::RR::NSEC3::covers: check RRs
In Zonemaster::LDNS::RR::NSEC3::covers(), perform a simple sanity check
on resource records before giving them to ldns_nsec_covers_name().
With ldns version 1.8.3, ldns_nsec_covers_name() crashes if the NSEC3
resource record has the root domain as owner name or has an empty next
hashed owner name. Both are cases of invalid NSEC3 resource records that
should be tested for before trying to do anything with them.
While this is technically an ldns bug, we still need some kind of
workaround, especially because Zonemaster::LDNS is linked by default
against a bundled version of ldns.
Diffstat (limited to 't')
| -rw-r--r-- | t/dnssec.t | 32 |
1 files changed, 14 insertions, 18 deletions
@@ -68,24 +68,20 @@ ok($nsec3->covers('xx-example.com'), 'Covers xx-example.com'); is($nsec3->covers('.'), undef, 'Does not cover the root domain'); subtest 'malformed NSEC3 do not cover anything' => sub { - SKIP: { - skip 'guaranteed crash', 2; - - # Malformed resource record lacking a next hashed owner name field in - # its RDATA. The only way to synthesize such a datum is to use the RFC - # 3597 syntax. - my $example = Zonemaster::LDNS::RR->new( - q{example. 0 IN NSEC3 \# 15 01 00 0001 01 AB 00 0006 400000000002} - ); - is( $example->covers("example"), undef ); - - # NSEC3 resource record whose owner name is the root name. This should - # normally not happen. - $example = Zonemaster::LDNS::RR->new( - q{. 0 IN NSEC3 1 0 1 ab 01234567 A RRSIG} - ); - is( $example->covers("example"), undef ); - } + # Malformed resource record lacking a next hashed owner name field in its + # RDATA. The only way to synthesize such a datum is to use the RFC 3597 + # syntax. + my $example = Zonemaster::LDNS::RR->new( + q{example. 0 IN NSEC3 \# 15 01 00 0001 01 AB 00 0006 400000000002} + ); + is( $example->covers("example"), undef ); + + # NSEC3 resource record whose owner name is the root name. This should + # normally not happen. + $example = Zonemaster::LDNS::RR->new( + q{. 0 IN NSEC3 1 0 1 ab 01234567 A RRSIG} + ); + is( $example->covers("example"), undef ); }; SKIP: { |