[PR #3130] [MERGED] Ignore RRSIGs that claim NSEC/NSEC3 wildcards #3581

New issue

Closed

opened 2026-03-16 11:51:31 +03:00 by kerem · 0 comments

kerem commented

2026-03-16 11:51:31 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/hickory-dns/hickory-dns/pull/3130
Author: @divergentdave
Created: 7/17/2025
Status: ✅ Merged
Merged: 7/21/2025
Merged by: @djc

Base: main ← Head: david/ignore-nsec-nsec3-wildcard-expansion

📝 Commits (1)

69b2ecf Ignore RRSIGs that claim NSEC/NSEC3 wildcards

📊 Changes

1 file changed (+10 additions, -0 deletions)

View changed files

📝 crates/proto/src/dnssec/dnssec_dns_handle/mod.rs (+10 -0)

📄 Description

This adds a check for RRSIG records that cover NSEC or NSEC3 RRsets with a wildcard name that has been expanded. In order to address #2882, RRset validation will need to become re-entrant, since validating a wildcard expanded RRset requires validating one or more NSEC or NSEC3 RRsets. This PR gets out ahead of a possible infinite loop that could be triggered by a malicious server. Names of NSEC and NSEC3 records are spelled out in their respective RFCs, and neither can contain a wildcard label, so I think it should be fine to just ignore the relevant RRSIG, and treat the record as bogus.

Edit: NSEC records can have asterisk labels in their names, but importantly their names do not get expanded when they are sent by name servers.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/hickory-dns/hickory-dns/pull/3130 **Author:** [@divergentdave](https://github.com/divergentdave) **Created:** 7/17/2025 **Status:** ✅ Merged **Merged:** 7/21/2025 **Merged by:** [@djc](https://github.com/djc) **Base:** `main` ← **Head:** `david/ignore-nsec-nsec3-wildcard-expansion` --- ### 📝 Commits (1) - [`69b2ecf`](https://github.com/hickory-dns/hickory-dns/commit/69b2ecfc582f8243b8072cb8bb20b447c6c716df) Ignore RRSIGs that claim NSEC/NSEC3 wildcards ### 📊 Changes **1 file changed** (+10 additions, -0 deletions) <details> <summary>View changed files</summary> 📝 `crates/proto/src/dnssec/dnssec_dns_handle/mod.rs` (+10 -0) </details> ### 📄 Description This adds a check for RRSIG records that cover NSEC or NSEC3 RRsets with a wildcard name that has been expanded. In order to address #2882, RRset validation will need to become re-entrant, since validating a wildcard expanded RRset requires validating one or more NSEC or NSEC3 RRsets. This PR gets out ahead of a possible infinite loop that could be triggered by a malicious server. Names of NSEC and NSEC3 records are spelled out in their respective RFCs, and neither can contain a wildcard label, so I think it should be fine to just ignore the relevant RRSIG, and treat the record as bogus. Edit: NSEC records can have asterisk labels in their names, but importantly their names do not get expanded when they are sent by name servers. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>