[PR #697] [MERGED] Fix NSEC record selection for NODATA and NXDOMAIN responses #1612

New issue

Closed

opened 2026-03-16 02:15:58 +03:00 by kerem · 0 comments

kerem commented

2026-03-16 02:15:58 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/hickory-dns/hickory-dns/pull/697
Author: @bluejekyll
Created: 3/1/2019
Status: ✅ Merged
Merged: 3/8/2019
Merged by: @bluejekyll

Base: master ← Head: fix-nsec-noerror

📝 Commits (10+)

ff66255 Always set authoritative flag
e0e1470 include wildcard proof in NSEC
9fcf97d make NSEC records cover themselves at their own name
e45cc8f dedup NSEC proofs
da4a3c2 fix start, middle, and end NSEC selection
6bcec63 fix clippy errors
727b52c put SOA record before NSEC and NS records
9593e42 keep NXDOMAIN flag preserved when returning NSEC records
9ba457c return NOERROR on names with dots
7714ab9 improve NSEC verification

📊 Changes

14 files changed (+813 additions, -425 deletions)

View changed files

📝 Cargo.lock (+234 -251)
📝 crates/proto/src/rr/dnssec/rdata/nsec.rs (+21 -2)
📝 crates/proto/src/rr/rdata/tlsa.rs (+0 -3)
📝 crates/proto/src/xfer/secure_dns_handle.rs (+134 -79)
📝 crates/server/src/authority/auth_lookup.rs (+41 -5)
📝 crates/server/src/authority/catalog.rs (+8 -6)
📝 crates/server/src/logger.rs (+1 -1)
📝 crates/server/src/store/file/authority.rs (+87 -18)
📝 crates/server/src/store/sqlite/authority.rs (+85 -17)
📝 crates/server/tests/authority_battery/basic.rs (+45 -0)
📝 crates/server/tests/authority_battery/dnssec.rs (+150 -42)
📝 crates/server/tests/named_test_configs/example.com.zone (+3 -0)
📝 tests/integration-tests/tests/secure_client_handle_tests.rs (+1 -1)
📝 tests/integration-tests/tests/server_future_tests.rs (+3 -0)

📄 Description

fixes: #696

FYI @Darkspirit

In the case of NODATA, the server was not returning a single NSEC that covered the specific name at which other records existed.

In the case of NXDOMAIN, the server was not properly returning NSECs that both 1) covered the query name, and 2) returned a proof that no wildcard records existed.

This patch adds tests for both, and fixes the underlying issue. (dedup of code will happen in a later patch)

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/hickory-dns/hickory-dns/pull/697 **Author:** [@bluejekyll](https://github.com/bluejekyll) **Created:** 3/1/2019 **Status:** ✅ Merged **Merged:** 3/8/2019 **Merged by:** [@bluejekyll](https://github.com/bluejekyll) **Base:** `master` ← **Head:** `fix-nsec-noerror` --- ### 📝 Commits (10+) - [`ff66255`](https://github.com/hickory-dns/hickory-dns/commit/ff6625514ae1ea774f09bdcb4982139156e104c6) Always set authoritative flag - [`e0e1470`](https://github.com/hickory-dns/hickory-dns/commit/e0e1470f4d15485eb11ce3733aabbd429f49ff7f) include wildcard proof in NSEC - [`9fcf97d`](https://github.com/hickory-dns/hickory-dns/commit/9fcf97db06f52364c6615b903e38d18aeac73183) make NSEC records cover themselves at their own name - [`e45cc8f`](https://github.com/hickory-dns/hickory-dns/commit/e45cc8f16cecaa46f21f0c27aa00a8da94914306) dedup NSEC proofs - [`da4a3c2`](https://github.com/hickory-dns/hickory-dns/commit/da4a3c2d4af6d60bf41193b5ca5a7453b6ceaddd) fix start, middle, and end NSEC selection - [`6bcec63`](https://github.com/hickory-dns/hickory-dns/commit/6bcec63b47cbdb2fd618f592cc5edc965eccda69) fix clippy errors - [`727b52c`](https://github.com/hickory-dns/hickory-dns/commit/727b52ca4053914691da6c1f8c2fa6f5982366f3) put SOA record before NSEC and NS records - [`9593e42`](https://github.com/hickory-dns/hickory-dns/commit/9593e426657a3be8441cead830e85c0731f2c246) keep NXDOMAIN flag preserved when returning NSEC records - [`9ba457c`](https://github.com/hickory-dns/hickory-dns/commit/9ba457c98cf1ee5296ccb62c873e9e707facc588) return NOERROR on names with dots - [`7714ab9`](https://github.com/hickory-dns/hickory-dns/commit/7714ab9979c9f51442a2be5ef38925171851fb11) improve NSEC verification ### 📊 Changes **14 files changed** (+813 additions, -425 deletions) <details> <summary>View changed files</summary> 📝 `Cargo.lock` (+234 -251) 📝 `crates/proto/src/rr/dnssec/rdata/nsec.rs` (+21 -2) 📝 `crates/proto/src/rr/rdata/tlsa.rs` (+0 -3) 📝 `crates/proto/src/xfer/secure_dns_handle.rs` (+134 -79) 📝 `crates/server/src/authority/auth_lookup.rs` (+41 -5) 📝 `crates/server/src/authority/catalog.rs` (+8 -6) 📝 `crates/server/src/logger.rs` (+1 -1) 📝 `crates/server/src/store/file/authority.rs` (+87 -18) 📝 `crates/server/src/store/sqlite/authority.rs` (+85 -17) 📝 `crates/server/tests/authority_battery/basic.rs` (+45 -0) 📝 `crates/server/tests/authority_battery/dnssec.rs` (+150 -42) 📝 `crates/server/tests/named_test_configs/example.com.zone` (+3 -0) 📝 `tests/integration-tests/tests/secure_client_handle_tests.rs` (+1 -1) 📝 `tests/integration-tests/tests/server_future_tests.rs` (+3 -0) </details> ### 📄 Description fixes: #696 FYI @Darkspirit In the case of NODATA, the server was not returning a single NSEC that covered the specific name at which other records existed. In the case of NXDOMAIN, the server was not properly returning NSECs that both 1) covered the query name, and 2) returned a proof that no wildcard records existed. This patch adds tests for both, and fixes the underlying issue. (dedup of code will happen in a later patch) --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>