]> git.bitcoin.ninja Git - dnssec-prover/commitdiff
Drop NSEC/3 records from `VerifiedRRStream::verified_rrs`
authorMatt Corallo <git@bluematt.me>
Sat, 2 Mar 2024 15:56:39 +0000 (15:56 +0000)
committerMatt Corallo <git@bluematt.me>
Sat, 2 Mar 2024 16:41:07 +0000 (16:41 +0000)
`verified_rrs` is intended to include only the records a user may
want, not signatures and proof records. Thus, like we remove
RRSIG/DS records, here we also remove NSEC/3 records.

src/query.rs
src/validation.rs

index 6137b79bbeb7979e4343fefb047ce9063ac63a0d..1e02e2b1dfd14e742e9d470f8b67e388500b0feb 100644 (file)
@@ -557,7 +557,7 @@ mod tests {
                        let mut rrs = parse_rr_stream(&proof).unwrap();
                        rrs.shuffle(&mut rand::rngs::OsRng);
                        let verified_rrs = verify_rr_stream(&rrs).unwrap();
-                       assert_eq!(verified_rrs.verified_rrs.len(), 3);
+                       assert_eq!(verified_rrs.verified_rrs.len(), 2);
 
                        let now = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap().as_secs();
                        assert!(verified_rrs.valid_from < now);
@@ -583,7 +583,7 @@ mod tests {
                        let mut rrs = parse_rr_stream(&proof).unwrap();
                        rrs.shuffle(&mut rand::rngs::OsRng);
                        let verified_rrs = verify_rr_stream(&rrs).unwrap();
-                       assert_eq!(verified_rrs.verified_rrs.len(), 5);
+                       assert_eq!(verified_rrs.verified_rrs.len(), 3);
 
                        let now = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap().as_secs();
                        assert!(verified_rrs.valid_from < now);
index 75620b100364b33b6043621eea455a0b181582a6..45320d460f0bf9d2e520ef4558002641dd90ab87 100644 (file)
@@ -220,7 +220,8 @@ where T: IntoIterator<IntoIter = I>, I: Iterator<Item = &'a DS> + Clone {
 /// contained records verified.
 #[derive(Debug, Clone)]
 pub struct VerifiedRRStream<'a> {
-       /// The set of verified [`RR`]s.
+       /// The set of verified [`RR`]s, not including [`DnsKey`], [`RRSig`], [`NSec`], and [`NSec3`]
+       /// records.
        ///
        /// These are not valid unless the current UNIX time is between [`Self::valid_from`] and
        /// [`Self::expires`].
@@ -504,6 +505,8 @@ pub fn verify_rr_stream<'a>(inp: &'a [RR]) -> Result<VerifiedRRStream<'a>, Valid
                return Err(ValidationError::Invalid);
        }
 
+       res.retain(|rr| rr.ty() != NSec::TYPE && rr.ty() != NSec3::TYPE);
+
        Ok(VerifiedRRStream {
                verified_rrs: res, valid_from: latest_inception, expires: earliest_expiry,
                max_cache_ttl: min_ttl,
@@ -1079,7 +1082,7 @@ mod tests {
                rrs.shuffle(&mut rand::rngs::OsRng);
                let mut verified_rrs = verify_rr_stream(&rrs).unwrap();
                verified_rrs.verified_rrs.sort();
-               assert_eq!(verified_rrs.verified_rrs.len(), 5);
+               assert_eq!(verified_rrs.verified_rrs.len(), 2);
                if let RR::Txt(txt) = &verified_rrs.verified_rrs[0] {
                        assert_eq!(txt.name.as_str(), "asdf.wildcard_test.dnssec_proof_tests.bitcoin.ninja.");
                        assert_eq!(txt.data, b"wildcard_test");