From 29454486a3636160e944bde211bf48bd10908180 Mon Sep 17 00:00:00 2001 From: Matt Corallo Date: Sat, 2 Mar 2024 15:56:39 +0000 Subject: [PATCH] Drop NSEC/3 records from `VerifiedRRStream::verified_rrs` `verified_rrs` is intended to include only the records a user may want, not signatures and proof records. Thus, like we remove RRSIG/DS records, here we also remove NSEC/3 records. --- src/query.rs | 4 ++-- src/validation.rs | 7 +++++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/src/query.rs b/src/query.rs index 6137b79..1e02e2b 100644 --- a/src/query.rs +++ b/src/query.rs @@ -557,7 +557,7 @@ mod tests { let mut rrs = parse_rr_stream(&proof).unwrap(); rrs.shuffle(&mut rand::rngs::OsRng); let verified_rrs = verify_rr_stream(&rrs).unwrap(); - assert_eq!(verified_rrs.verified_rrs.len(), 3); + assert_eq!(verified_rrs.verified_rrs.len(), 2); let now = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap().as_secs(); assert!(verified_rrs.valid_from < now); @@ -583,7 +583,7 @@ mod tests { let mut rrs = parse_rr_stream(&proof).unwrap(); rrs.shuffle(&mut rand::rngs::OsRng); let verified_rrs = verify_rr_stream(&rrs).unwrap(); - assert_eq!(verified_rrs.verified_rrs.len(), 5); + assert_eq!(verified_rrs.verified_rrs.len(), 3); let now = SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap().as_secs(); assert!(verified_rrs.valid_from < now); diff --git a/src/validation.rs b/src/validation.rs index 75620b1..45320d4 100644 --- a/src/validation.rs +++ b/src/validation.rs @@ -220,7 +220,8 @@ where T: IntoIterator, I: Iterator + Clone { /// contained records verified. #[derive(Debug, Clone)] pub struct VerifiedRRStream<'a> { - /// The set of verified [`RR`]s. + /// The set of verified [`RR`]s, not including [`DnsKey`], [`RRSig`], [`NSec`], and [`NSec3`] + /// records. /// /// These are not valid unless the current UNIX time is between [`Self::valid_from`] and /// [`Self::expires`]. @@ -504,6 +505,8 @@ pub fn verify_rr_stream<'a>(inp: &'a [RR]) -> Result, Valid return Err(ValidationError::Invalid); } + res.retain(|rr| rr.ty() != NSec::TYPE && rr.ty() != NSec3::TYPE); + Ok(VerifiedRRStream { verified_rrs: res, valid_from: latest_inception, expires: earliest_expiry, max_cache_ttl: min_ttl, @@ -1079,7 +1082,7 @@ mod tests { rrs.shuffle(&mut rand::rngs::OsRng); let mut verified_rrs = verify_rr_stream(&rrs).unwrap(); verified_rrs.verified_rrs.sort(); - assert_eq!(verified_rrs.verified_rrs.len(), 5); + assert_eq!(verified_rrs.verified_rrs.len(), 2); if let RR::Txt(txt) = &verified_rrs.verified_rrs[0] { assert_eq!(txt.name.as_str(), "asdf.wildcard_test.dnssec_proof_tests.bitcoin.ninja."); assert_eq!(txt.data, b"wildcard_test"); -- 2.39.5