From: Matt Corallo <git@bluematt.me>
Date: Mon, 18 Nov 2024 14:49:36 +0000 (+0000)
Subject: Fix issues verifying proofs built from 9.9.9.9
X-Git-Tag: v0.6.6~1
X-Git-Url: http://git.bitcoin.ninja/?a=commitdiff_plain;h=37251f01bdba40cf0c80d294eb802af3a9c6f6bb;p=dnssec-prover

Fix issues verifying proofs built from 9.9.9.9

Sometimes proofs built from 9.9.9.9 include duplicate NSEC3
records, which we have to filter out before signature verification
or we'll get spurious signature verification errors.
---

diff --git a/src/validation.rs b/src/validation.rs
index 61ef023..6417f09 100644
--- a/src/validation.rs
+++ b/src/validation.rs
@@ -90,6 +90,11 @@ where Keys: IntoIterator<Item = &'a DnsKey> {
 
 			records.sort_unstable();
 
+			// Some recursive resolvers (at least 9.9.9.9) give us a few too many records, and the
+			// proof builder is too naive to filter them out. Instead, we filter them out here, as
+			// there's no security harm to just removing identical records here.
+			records.dedup();
+
 			for record in records.iter() {
 				let record_labels = record.name().labels() as usize;
 				let labels = sig.labels.into();