Fix issue when validating a response containing the original wildcard record

[captive-validator.git] / src / com / verisign / tat / dnssec / CaptiveValidator.java

diff --git a/src/com/verisign/tat/dnssec/CaptiveValidator.java b/src/com/verisign/tat/dnssec/CaptiveValidator.java
index c4ce498..c72bbc3 100644 (file)
--- a/src/com/verisign/tat/dnssec/CaptiveValidator.java
+++ b/src/com/verisign/tat/dnssec/CaptiveValidator.java
@@ -378,6 +378,13 @@ public class CaptiveValidator {
             // If so, an additional check will need to be made in the authority
             // section.
             wc = ValUtils.rrsetWildcard(rrsets[i]);
+            // if the wildcard expansion equals the orig name, then we
+            // have the actual wildcard record and no actual wildcard
+            // expansion happened, so we shouldn't do the extra
+            // validation.
+            if (wc.equals(rrsets[i].getName())) {
+                wc = null;
+            }
 
             // Notice a DNAME that should be followed by an unsigned CNAME.
             if ((qtype != Type.DNAME) && (rrsets[i].getType() == Type.DNAME)) {
@@ -447,8 +454,8 @@ public class CaptiveValidator {
         // If after all this, we still haven't proven the positive wildcard
         // response, fail.
         if ((wc != null) && !wcNSEC_ok) {
-            // log.debug("positive response was wildcard expansion and "
-            // + "did not prove original data did not exist");
+            mErrorList.add("Positive response was wildcard expansion " +
+                           "and did not prove original data did not exist.");
             m.setStatus(SecurityStatus.BOGUS);
 
             return;
@@ -945,7 +952,7 @@ public class CaptiveValidator {
         }
 
         ValUtils.ResponseType subtype = ValUtils.classifyResponse(message, zone);
-
+        log.debug("Response was classified as a " + subtype);
         switch (subtype) {
         case POSITIVE:
             log.trace("Validating a positive response");