From a72a903d0be131daa93e14feaa7d4bcdce3e958e Mon Sep 17 00:00:00 2001
From: David Blacka <davidb@verisign.com>
Date: Tue, 28 Jul 2015 15:38:27 -0400
Subject: [PATCH] Fix issue when validating a response containing the original
 wildcard record e.g., a response to *.foo.bar.com itself. Enable debug
 logging when debug=true.

---
 src/com/verisign/cl/DNSSECValTool.java            |  1 +
 src/com/verisign/tat/dnssec/CaptiveValidator.java | 13 ++++++++++---
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/com/verisign/cl/DNSSECValTool.java b/src/com/verisign/cl/DNSSECValTool.java
index be4cdb8..bab5df8 100644
--- a/src/com/verisign/cl/DNSSECValTool.java
+++ b/src/com/verisign/cl/DNSSECValTool.java
@@ -343,6 +343,7 @@ public class DNSSECValTool {
                     dr.dnskeyNames.add(optarg);
                 } else if (opt.equals("debug")) {
                     dr.debug = Boolean.parseBoolean(optarg);
+                    rootLogger.setLevel(Level.TRACE);
                 } else {
                     System.err.println("Unrecognized option: " + opt);
                     usage();
diff --git a/src/com/verisign/tat/dnssec/CaptiveValidator.java b/src/com/verisign/tat/dnssec/CaptiveValidator.java
index c4ce498..c72bbc3 100644
--- a/src/com/verisign/tat/dnssec/CaptiveValidator.java
+++ b/src/com/verisign/tat/dnssec/CaptiveValidator.java
@@ -378,6 +378,13 @@ public class CaptiveValidator {
             // If so, an additional check will need to be made in the authority
             // section.
             wc = ValUtils.rrsetWildcard(rrsets[i]);
+            // if the wildcard expansion equals the orig name, then we
+            // have the actual wildcard record and no actual wildcard
+            // expansion happened, so we shouldn't do the extra
+            // validation.
+            if (wc.equals(rrsets[i].getName())) {
+                wc = null;
+            }
 
             // Notice a DNAME that should be followed by an unsigned CNAME.
             if ((qtype != Type.DNAME) && (rrsets[i].getType() == Type.DNAME)) {
@@ -447,8 +454,8 @@ public class CaptiveValidator {
         // If after all this, we still haven't proven the positive wildcard
         // response, fail.
         if ((wc != null) && !wcNSEC_ok) {
-            // log.debug("positive response was wildcard expansion and "
-            // + "did not prove original data did not exist");
+            mErrorList.add("Positive response was wildcard expansion " +
+                           "and did not prove original data did not exist.");
             m.setStatus(SecurityStatus.BOGUS);
 
             return;
@@ -945,7 +952,7 @@ public class CaptiveValidator {
         }
 
         ValUtils.ResponseType subtype = ValUtils.classifyResponse(message, zone);
-
+        log.debug("Response was classified as a " + subtype);
         switch (subtype) {
         case POSITIVE:
             log.trace("Validating a positive response");
-- 
2.36.6