From a72a903d0be131daa93e14feaa7d4bcdce3e958e Mon Sep 17 00:00:00 2001 From: David Blacka Date: Tue, 28 Jul 2015 15:38:27 -0400 Subject: [PATCH] Fix issue when validating a response containing the original wildcard record e.g., a response to *.foo.bar.com itself. Enable debug logging when debug=true. --- src/com/verisign/cl/DNSSECValTool.java | 1 + src/com/verisign/tat/dnssec/CaptiveValidator.java | 13 ++++++++++--- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/src/com/verisign/cl/DNSSECValTool.java b/src/com/verisign/cl/DNSSECValTool.java index be4cdb8..bab5df8 100644 --- a/src/com/verisign/cl/DNSSECValTool.java +++ b/src/com/verisign/cl/DNSSECValTool.java @@ -343,6 +343,7 @@ public class DNSSECValTool { dr.dnskeyNames.add(optarg); } else if (opt.equals("debug")) { dr.debug = Boolean.parseBoolean(optarg); + rootLogger.setLevel(Level.TRACE); } else { System.err.println("Unrecognized option: " + opt); usage(); diff --git a/src/com/verisign/tat/dnssec/CaptiveValidator.java b/src/com/verisign/tat/dnssec/CaptiveValidator.java index c4ce498..c72bbc3 100644 --- a/src/com/verisign/tat/dnssec/CaptiveValidator.java +++ b/src/com/verisign/tat/dnssec/CaptiveValidator.java @@ -378,6 +378,13 @@ public class CaptiveValidator { // If so, an additional check will need to be made in the authority // section. wc = ValUtils.rrsetWildcard(rrsets[i]); + // if the wildcard expansion equals the orig name, then we + // have the actual wildcard record and no actual wildcard + // expansion happened, so we shouldn't do the extra + // validation. + if (wc.equals(rrsets[i].getName())) { + wc = null; + } // Notice a DNAME that should be followed by an unsigned CNAME. if ((qtype != Type.DNAME) && (rrsets[i].getType() == Type.DNAME)) { @@ -447,8 +454,8 @@ public class CaptiveValidator { // If after all this, we still haven't proven the positive wildcard // response, fail. if ((wc != null) && !wcNSEC_ok) { - // log.debug("positive response was wildcard expansion and " - // + "did not prove original data did not exist"); + mErrorList.add("Positive response was wildcard expansion " + + "and did not prove original data did not exist."); m.setStatus(SecurityStatus.BOGUS); return; @@ -945,7 +952,7 @@ public class CaptiveValidator { } ValUtils.ResponseType subtype = ValUtils.classifyResponse(message, zone); - + log.debug("Response was classified as a " + subtype); switch (subtype) { case POSITIVE: log.trace("Validating a positive response");