Drop NSEC/3 records from `VerifiedRRStream::verified_rrs`

author Matt Corallo <git@bluematt.me>

Sat, 2 Mar 2024 15:56:39 +0000 (15:56 +0000)

committer Matt Corallo <git@bluematt.me>

Sat, 2 Mar 2024 16:41:07 +0000 (16:41 +0000)
author Matt Corallo <git@bluematt.me>
Sat, 2 Mar 2024 15:56:39 +0000 (15:56 +0000)
committer Matt Corallo <git@bluematt.me>
Sat, 2 Mar 2024 16:41:07 +0000 (16:41 +0000)
diff --git a/src/query.rs b/src/query.rs

index 6137b79bbeb7979e4343fefb047ce9063ac63a0d..1e02e2b1dfd14e742e9d470f8b67e388500b0feb 100644 (file)
--- a/src/query.rs
+++ b/src/query.rs
@@ -557,7 +557,7 @@ mod tests {
                         let mut rrs = parse_rr_stream(&proof).unwrap();
                         rrs.shuffle(&mut rand::rngs::OsRng);
                         let verified_rrs = verify_rr_stream(&rrs).unwrap();
-                       assert_eq!(verified_rrs.verified_rrs.len(), 3);
+                       assert_eq!(verified_rrs.verified_rrs.len(), 2);
  
                         let now = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap().as_secs();
                         assert!(verified_rrs.valid_from < now);
@@ -583,7 +583,7 @@ mod tests {
                         let mut rrs = parse_rr_stream(&proof).unwrap();
                         rrs.shuffle(&mut rand::rngs::OsRng);
                         let verified_rrs = verify_rr_stream(&rrs).unwrap();
-                       assert_eq!(verified_rrs.verified_rrs.len(), 5);
+                       assert_eq!(verified_rrs.verified_rrs.len(), 3);
  
                         let now = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap().as_secs();
                         assert!(verified_rrs.valid_from < now);
diff --git a/src/validation.rs b/src/validation.rs

index 75620b100364b33b6043621eea455a0b181582a6..45320d460f0bf9d2e520ef4558002641dd90ab87 100644 (file)
--- a/src/validation.rs
+++ b/src/validation.rs
@@ -220,7 +220,8 @@ where T: IntoIterator<IntoIter = I>, I: Iterator<Item = &'a DS> + Clone {
  /// contained records verified.
  #[derive(Debug, Clone)]
  pub struct VerifiedRRStream<'a> {
-       /// The set of verified [`RR`]s.
+       /// The set of verified [`RR`]s, not including [`DnsKey`], [`RRSig`], [`NSec`], and [`NSec3`]
+       /// records.
         ///
         /// These are not valid unless the current UNIX time is between [`Self::valid_from`] and
         /// [`Self::expires`].
@@ -504,6 +505,8 @@ pub fn verify_rr_stream<'a>(inp: &'a [RR]) -> Result<VerifiedRRStream<'a>, Valid
                 return Err(ValidationError::Invalid);
         }
  
+       res.retain(|rr| rr.ty() != NSec::TYPE && rr.ty() != NSec3::TYPE);
+
         Ok(VerifiedRRStream {
                 verified_rrs: res, valid_from: latest_inception, expires: earliest_expiry,
                 max_cache_ttl: min_ttl,
@@ -1079,7 +1082,7 @@ mod tests {
                 rrs.shuffle(&mut rand::rngs::OsRng);
                 let mut verified_rrs = verify_rr_stream(&rrs).unwrap();
                 verified_rrs.verified_rrs.sort();
-               assert_eq!(verified_rrs.verified_rrs.len(), 5);
+               assert_eq!(verified_rrs.verified_rrs.len(), 2);
                 if let RR::Txt(txt) = &verified_rrs.verified_rrs[0] {
                         assert_eq!(txt.name.as_str(), "asdf.wildcard_test.dnssec_proof_tests.bitcoin.ninja.");
                         assert_eq!(txt.data, b"wildcard_test");
author	Matt Corallo <git@bluematt.me>
	Sat, 2 Mar 2024 15:56:39 +0000 (15:56 +0000)
committer	Matt Corallo <git@bluematt.me>
	Sat, 2 Mar 2024 16:41:07 +0000 (16:41 +0000)
src/query.rs		patch \| blob \| history
src/validation.rs		patch \| blob \| history