Fix issue when validating a response containing the original wildcard record

e.g., a response to *.foo.bar.com itself. Enable debug logging when debug=true.
2015-07-28 15:38:27 -04:00 · 2015-07-28 15:38:27 -04:00 · a72a903d0b
commit a72a903d0b
parent 37e9932d6e
2 changed files with 11 additions and 3 deletions
--- a/src/com/verisign/cl/DNSSECValTool.java
+++ b/src/com/verisign/cl/DNSSECValTool.java
@ -343,6 +343,7 @@ public class DNSSECValTool {
                    dr.dnskeyNames.add(optarg);
                } else if (opt.equals("debug")) {
                    dr.debug = Boolean.parseBoolean(optarg);
+                    rootLogger.setLevel(Level.TRACE);
                } else {
                    System.err.println("Unrecognized option: " + opt);
                    usage();
--- a/src/com/verisign/tat/dnssec/CaptiveValidator.java
+++ b/src/com/verisign/tat/dnssec/CaptiveValidator.java
@ -378,6 +378,13 @@ public class CaptiveValidator {
            // If so, an additional check will need to be made in the authority
            // section.
            wc = ValUtils.rrsetWildcard(rrsets[i]);
+            // if the wildcard expansion equals the orig name, then we
+            // have the actual wildcard record and no actual wildcard
+            // expansion happened, so we shouldn't do the extra
+            // validation.
+            if (wc.equals(rrsets[i].getName())) {
+                wc = null;
+            }

            // Notice a DNAME that should be followed by an unsigned CNAME.
            if ((qtype != Type.DNAME) && (rrsets[i].getType() == Type.DNAME)) {
@ -447,8 +454,8 @@ public class CaptiveValidator {
        // If after all this, we still haven't proven the positive wildcard
        // response, fail.
        if ((wc != null) && !wcNSEC_ok) {
-            // log.debug("positive response was wildcard expansion and "
-            // + "did not prove original data did not exist");
+            mErrorList.add("Positive response was wildcard expansion " +
+                           "and did not prove original data did not exist.");
            m.setStatus(SecurityStatus.BOGUS);

            return;
@ -945,7 +952,7 @@ public class CaptiveValidator {
        }

        ValUtils.ResponseType subtype = ValUtils.classifyResponse(message, zone);
-
+        log.debug("Response was classified as a " + subtype);
        switch (subtype) {
        case POSITIVE:
            log.trace("Validating a positive response");