projects / dnssec-prover / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Add support back for SHA-384 DS records
[dnssec-prover] / src / validation.rs
diff --git a/src/validation.rs b/src/validation.rs
index 16f1e5024cf9eda8b724b1f3ee5ecb5558352ac6..e6b585fd44921c70b3c48a4f4e742f81423186bc 100644 (file)
--- a/src/validation.rs
+++ b/src/validation.rs
@@ -3,10 +3,11 @@
 use alloc::borrow::ToOwned;
 use alloc::vec::Vec;
 use alloc::vec;
-use core::cmp;
+use core::cmp::{self, Ordering};
 
 use ring::signature;
 
+use crate::base32;
 use crate::crypto;
 use crate::rr::*;
 use crate::ser::write_name;
@@ -96,7 +97,11 @@ where Keys: IntoIterator<Item = &'a DnsKey> {
                        for record in records.iter() {
                                let record_labels = record.name().labels() as usize;
                                let labels = sig.labels.into();
-                               if record_labels != labels {
+                               // For NSec types, the name should already match the wildcard, so we don't do any
+                               // filtering here. This is relied upon in `verify_rr_stream` to check whether an
+                               // NSec record is matching via wildcard (as otherwise we'd allow a resolver to
+                               // change the name out from under us and change the wildcard to something else).
+                               if record.ty() != NSec::TYPE && record_labels != labels {
                                        if record_labels < labels { return Err(ValidationError::Invalid); }
                                        let signed_name = record.name().trailing_n_labels(sig.labels);
                                        debug_assert!(signed_name.is_some());
@@ -154,6 +159,12 @@ where Keys: IntoIterator<Item = &'a DnsKey> {
                                        return Ok(());
                                }
                        }
+
+                       // Note that technically there could be a key tag collision here, causing spurious
+                       // verification failure. In most zones, there's only 2-4 DNSKEY entries, meaning a
+                       // spurious collision shouldn't be much more often than one every billion zones. Much
+                       // more likely in such a case, someone is just trying to do a KeyTrap attack, so we
+                       // simply hard-fail and return an error immediately.
                        sig_validation?;
 
                        return Ok(());
@@ -162,9 +173,11 @@ where Keys: IntoIterator<Item = &'a DnsKey> {
        Err(ValidationError::Invalid)
 }
 
-fn verify_dnskey_rrsig<'a, T, I>(sig: &RRSig, dses: T, records: Vec<&DnsKey>)
--> Result<(), ValidationError>
-where T: IntoIterator<IntoIter = I>, I: Iterator<Item = &'a DS> + Clone {
+/// Verify [`RRSig`]s over [`DnsKey`], returning a reference to the [`RRSig`] that matched, if any.
+fn verify_dnskeys<'r, 'd, RI, R, DI, D>(sigs: RI, dses: DI, records: Vec<&DnsKey>)
+-> Result<&'r RRSig, ValidationError>
+where RI: IntoIterator<IntoIter = R>, R: Iterator<Item = &'r RRSig>,
+      DI: IntoIterator<IntoIter = D>, D: Iterator<Item = &'d DS> + Clone {
        let mut validated_dnskeys = Vec::with_capacity(records.len());
        let dses = dses.into_iter();
 
@@ -189,7 +202,7 @@ where T: IntoIterator<IntoIter = I>, I: Iterator<Item = &'a DS> + Clone {
                                let mut ctx = match ds.digest_type {
                                        1 if trust_sha1 => crypto::hash::Hasher::sha1(),
                                        2 => crypto::hash::Hasher::sha256(),
-                                       // TODO: 4 => crypto::hash::Hasher::sha384(),
+                                       4 => crypto::hash::Hasher::sha384(),
                                        _ => continue,
                                };
                                write_name(&mut ctx, &dnskey.name);
@@ -205,7 +218,29 @@ where T: IntoIterator<IntoIter = I>, I: Iterator<Item = &'a DS> + Clone {
                        }
                }
        }
-       verify_rrsig(sig, validated_dnskeys.iter().map(|k| *k), records)
+
+       let mut found_unsupported_alg = false;
+       for sig in sigs {
+               match verify_rrsig(sig, validated_dnskeys.iter().map(|k| *k), records.clone()) {
+                       Ok(()) => return Ok(sig),
+                       Err(ValidationError::UnsupportedAlgorithm) => {
+                               // There may be redundant signatures by different keys, where one we don't
+                               // supprt and another we do. Ignore ones we don't support, but if there are
+                               // no more, return UnsupportedAlgorithm
+                               found_unsupported_alg = true;
+                       },
+                       Err(ValidationError::Invalid) => {
+                               // If a signature is invalid, just immediately fail, avoiding KeyTrap issues.
+                               return Err(ValidationError::Invalid);
+                       },
+               }
+       }
+
+       if found_unsupported_alg {
+               Err(ValidationError::UnsupportedAlgorithm)
+       } else {
+               Err(ValidationError::Invalid)
+       }
 }
 
 /// Given a set of [`RR`]s, [`verify_rr_stream`] checks what it can and returns the set of
@@ -215,7 +250,8 @@ where T: IntoIterator<IntoIter = I>, I: Iterator<Item = &'a DS> + Clone {
 /// contained records verified.
 #[derive(Debug, Clone)]
 pub struct VerifiedRRStream<'a> {
-       /// The set of verified [`RR`]s.
+       /// The set of verified [`RR`]s, not including [`DnsKey`], [`RRSig`], [`NSec`], and [`NSec3`]
+       /// records.
        ///
        /// These are not valid unless the current UNIX time is between [`Self::valid_from`] and
        /// [`Self::expires`].
@@ -254,6 +290,53 @@ fn resolve_time(time: u32) -> u64 {
        }
 }
 
+fn nsec_ord(a: &str, b: &str) -> Ordering {
+       let mut a_label_iter = a.rsplit(".");
+       let mut b_label_iter = b.rsplit(".");
+       loop {
+               match (a_label_iter.next(), b_label_iter.next()) {
+                       (Some(_), None) => return Ordering::Greater,
+                       (None, Some(_)) => return Ordering::Less,
+                       (Some(a_label), Some(b_label)) => {
+                               let mut a_bytes = a_label.bytes();
+                               let mut b_bytes = b_label.bytes();
+                               loop {
+                                       match (a_bytes.next(), b_bytes.next()) {
+                                               (Some(_), None) => return Ordering::Greater,
+                                               (None, Some(_)) => return Ordering::Less,
+                                               (Some(mut a), Some(mut b)) => {
+                                                       if a >= 'A' as u8 && a <= 'Z' as u8 {
+                                                               a += 'a' as u8 - 'A' as u8;
+                                                       }
+                                                       if b >= 'A' as u8 && b <= 'Z' as u8 {
+                                                               b += 'a' as u8 - 'A' as u8;
+                                                       }
+                                                       if a != b { return a.cmp(&b); }
+                                               },
+                                               (None, None) => break,
+                                       }
+                               }
+                       },
+                       (None, None) => return Ordering::Equal,
+               }
+       }
+}
+fn nsec_ord_extra<T, U>(a: &(&str, T, U), b: &(&str, T, U)) -> Ordering {
+       nsec_ord(a.0, b.0)
+}
+
+#[cfg(test)]
+#[test]
+fn rfc4034_sort_test() {
+       // Test nsec_ord based on RFC 4034 section 6.1's example
+       // Note that we replace the \200 example  with \7f as I have no idea what \200 is
+       let v = vec!["example.", "a.example.", "yljkjljk.a.example.", "Z.a.example.",
+               "zABC.a.EXAMPLE.", "z.example.", "\001.z.example.", "*.z.example.", "\x7f.z.example."];
+       let mut sorted = v.clone();
+       sorted.sort_unstable_by(|a, b| nsec_ord(*a, *b));
+       assert_eq!(sorted, v);
+}
+
 /// Verifies the given set of resource records.
 ///
 /// Given a set of arbitrary records, this attempts to validate DNSSEC data from the [`root_hints`]
@@ -267,12 +350,12 @@ fn resolve_time(time: u32) -> u64 {
 pub fn verify_rr_stream<'a>(inp: &'a [RR]) -> Result<VerifiedRRStream<'a>, ValidationError> {
        let mut zone = ".";
        let mut res = Vec::new();
+       let mut rrs_needing_non_existence_proofs = Vec::new();
        let mut pending_ds_sets = Vec::with_capacity(1);
        let mut latest_inception = 0;
        let mut earliest_expiry = u64::MAX;
        let mut min_ttl = u32::MAX;
        'next_zone: while zone == "." || !pending_ds_sets.is_empty() {
-               let mut found_unsupported_alg = false;
                let next_ds_set;
                if let Some((next_zone, ds_set)) = pending_ds_sets.pop() {
                        next_ds_set = Some(ds_set);
@@ -282,81 +365,171 @@ pub fn verify_rr_stream<'a>(inp: &'a [RR]) -> Result<VerifiedRRStream<'a>, Valid
                        next_ds_set = None;
                }
 
+               let dnskey_rrsigs = inp.iter()
+                       .filter_map(|rr| if let RR::RRSig(sig) = rr { Some(sig) } else { None })
+                       .filter(|rrsig| rrsig.name.as_str() == zone && rrsig.ty == DnsKey::TYPE);
+               let dnskeys = inp.iter()
+                       .filter_map(|rr| if let RR::DnsKey(dnskey) = rr { Some(dnskey) } else { None })
+                       .filter(move |dnskey| dnskey.name.as_str() == zone);
+               let root_hints = root_hints();
+               let verified_dnskey_rrsig = if zone == "." {
+                       verify_dnskeys(dnskey_rrsigs, &root_hints, dnskeys.clone().collect())?
+               } else {
+                       debug_assert!(next_ds_set.is_some());
+                       if next_ds_set.is_none() { break 'next_zone; }
+                       verify_dnskeys(dnskey_rrsigs, next_ds_set.clone().unwrap(), dnskeys.clone().collect())?
+               };
+               latest_inception = cmp::max(latest_inception, resolve_time(verified_dnskey_rrsig.inception));
+               earliest_expiry = cmp::min(earliest_expiry, resolve_time(verified_dnskey_rrsig.expiration));
+               min_ttl = cmp::min(min_ttl, verified_dnskey_rrsig.orig_ttl);
                for rrsig in inp.iter()
                        .filter_map(|rr| if let RR::RRSig(sig) = rr { Some(sig) } else { None })
-                       .filter(|rrsig| rrsig.name.as_str() == zone && rrsig.ty == DnsKey::TYPE)
+                       .filter(move |rrsig| rrsig.key_name.as_str() == zone && rrsig.ty != DnsKey::TYPE)
                {
-                       let dnskeys = inp.iter()
-                               .filter_map(|rr| if let RR::DnsKey(dnskey) = rr { Some(dnskey) } else { None })
-                               .filter(move |dnskey| dnskey.name.as_str() == zone);
-                       let dnskeys_verified = if zone == "." {
-                               verify_dnskey_rrsig(rrsig, &root_hints(), dnskeys.clone().collect())
-                       } else {
-                               debug_assert!(next_ds_set.is_some());
-                               if next_ds_set.is_none() { break 'next_zone; }
-                               verify_dnskey_rrsig(rrsig, next_ds_set.clone().unwrap(), dnskeys.clone().collect())
-                       };
-                       if dnskeys_verified.is_ok() {
-                               latest_inception = cmp::max(latest_inception, resolve_time(rrsig.inception));
-                               earliest_expiry = cmp::min(earliest_expiry, resolve_time(rrsig.expiration));
-                               min_ttl = cmp::min(min_ttl, rrsig.orig_ttl);
-                               for rrsig in inp.iter()
-                                       .filter_map(|rr| if let RR::RRSig(sig) = rr { Some(sig) } else { None })
-                                       .filter(move |rrsig| rrsig.key_name.as_str() == zone && rrsig.ty != DnsKey::TYPE)
-                               {
-                                       if !rrsig.name.ends_with(zone) { return Err(ValidationError::Invalid); }
-                                       let signed_records = inp.iter()
-                                               .filter(|rr| rr.name() == &rrsig.name && rr.ty() == rrsig.ty);
-                                       verify_rrsig(rrsig, dnskeys.clone(), signed_records.clone().collect())?;
-                                       latest_inception = cmp::max(latest_inception, resolve_time(rrsig.inception));
-                                       earliest_expiry = cmp::min(earliest_expiry, resolve_time(rrsig.expiration));
-                                       min_ttl = cmp::min(min_ttl, rrsig.orig_ttl);
-                                       match rrsig.ty {
-                                               // RRSigs shouldn't cover child `DnsKey`s or other `RRSig`s
-                                               RRSig::TYPE|DnsKey::TYPE => return Err(ValidationError::Invalid),
-                                               DS::TYPE => {
-                                                       if !pending_ds_sets.iter().any(|(pending_zone, _)| pending_zone == &rrsig.name.as_str()) {
-                                                               pending_ds_sets.push((
-                                                                       &rrsig.name,
-                                                                       signed_records.filter_map(|rr|
-                                                                               if let RR::DS(ds) = rr { Some(ds) }
-                                                                               else { debug_assert!(false, "We already filtered by type"); None })
-                                                               ));
-                                                       }
-                                               },
-                                               _ => {
-                                                       for record in signed_records {
-                                                               if !res.contains(&record) { res.push(record); }
-                                                       }
-                                               },
-                                       }
+                       if !rrsig.name.ends_with(zone) { return Err(ValidationError::Invalid); }
+                       let signed_records = inp.iter()
+                               .filter(|rr| rr.name() == &rrsig.name && rr.ty() == rrsig.ty);
+                       match verify_rrsig(rrsig, dnskeys.clone(), signed_records.clone().collect()) {
+                               Ok(()) => {},
+                               Err(ValidationError::UnsupportedAlgorithm) => continue,
+                               Err(ValidationError::Invalid) => {
+                                       // If a signature is invalid, just immediately fail, avoiding KeyTrap issues.
+                                       return Err(ValidationError::Invalid);
                                }
-                               continue 'next_zone;
-                       } else if dnskeys_verified == Err(ValidationError::UnsupportedAlgorithm) {
-                               // There may be redundant signatures by different keys, where one we don't supprt
-                               // and another we do. Ignore ones we don't support, but if there are no more,
-                               // return UnsupportedAlgorithm
-                               found_unsupported_alg = true;
-                       } else {
-                               // We don't explicitly handle invalid signatures here, instead we move on to the
-                               // next RRSig (if there is one) and return `Invalid` if no `RRSig`s match.
+                       }
+                       latest_inception = cmp::max(latest_inception, resolve_time(rrsig.inception));
+                       earliest_expiry = cmp::min(earliest_expiry, resolve_time(rrsig.expiration));
+                       min_ttl = cmp::min(min_ttl, rrsig.orig_ttl);
+                       match rrsig.ty {
+                               // RRSigs shouldn't cover child `DnsKey`s or other `RRSig`s
+                               RRSig::TYPE|DnsKey::TYPE => return Err(ValidationError::Invalid),
+                               DS::TYPE => {
+                                       if !pending_ds_sets.iter().any(|(pending_zone, _)| pending_zone == &rrsig.name.as_str()) {
+                                               pending_ds_sets.push((
+                                                       &rrsig.name,
+                                                       signed_records.filter_map(|rr|
+                                                               if let RR::DS(ds) = rr { Some(ds) }
+                                                               else { debug_assert!(false, "We already filtered by type"); None })
+                                               ));
+                                       }
+                               },
+                               _ => {
+                                       if rrsig.labels != rrsig.name.labels() && rrsig.ty != NSec::TYPE {
+                                               if rrsig.ty == NSec3::TYPE {
+                                                       // NSEC3 records should never appear on wildcards, so treat the
+                                                       // whole proof as invalid
+                                                       return Err(ValidationError::Invalid);
+                                               }
+                                               // If the RR used a wildcard, we need an NSEC/NSEC3 proof, which we
+                                               // check for at the end. Note that the proof should be for the
+                                               // "next closest" name, i.e. if the name here is a.b.c and it was
+                                               // signed as *.c, we want a proof for nothing being in b.c.
+                                               // Alternatively, if it was signed as *.b.c, we'd want a proof for
+                                               // a.b.c.
+                                               let proof_name = rrsig.name.trailing_n_labels(rrsig.labels + 1)
+                                                       .ok_or(ValidationError::Invalid)?;
+                                               rrs_needing_non_existence_proofs.push((proof_name, &rrsig.key_name, rrsig.ty));
+                                       }
+                                       for record in signed_records {
+                                               if !res.contains(&record) { res.push(record); }
+                                       }
+                               },
                        }
                }
-               // No RRSigs were able to verify our DnsKey set
-               if found_unsupported_alg {
-                       return Err(ValidationError::UnsupportedAlgorithm);
-               } else {
-                       return Err(ValidationError::Invalid);
-               }
+               continue 'next_zone;
        }
-       if res.is_empty() { Err(ValidationError::Invalid) }
-       else if latest_inception >= earliest_expiry { Err(ValidationError::Invalid) }
-       else {
-               Ok(VerifiedRRStream {
-                       verified_rrs: res, valid_from: latest_inception, expires: earliest_expiry,
-                       max_cache_ttl: min_ttl,
-               })
+       if res.is_empty() { return Err(ValidationError::Invalid) }
+       if latest_inception >= earliest_expiry { return Err(ValidationError::Invalid) }
+
+       // First sort the proofs we're looking for so that the retains below avoid shifting.
+       rrs_needing_non_existence_proofs.sort_unstable_by(nsec_ord_extra);
+       'proof_search_loop: while let Some((name, zone, ty)) = rrs_needing_non_existence_proofs.pop() {
+               let nsec_search = res.iter()
+                       .filter_map(|rr| if let RR::NSec(nsec) = rr { Some(nsec) } else { None })
+                       .filter(|nsec| nsec.name.ends_with(zone.as_str()));
+               for nsec in nsec_search {
+                       let name_matches = nsec.name.as_str() == name;
+                       let name_contained = nsec_ord(&nsec.name,  &name) != Ordering::Greater &&
+                               nsec_ord(&nsec.next_name, name) == Ordering::Greater;
+                       if (name_matches && !nsec.types.contains_type(ty)) || name_contained {
+                               rrs_needing_non_existence_proofs
+                                       .retain(|(n, _, t)| *n != name || (name_matches && nsec.types.contains_type(*t)));
+                               continue 'proof_search_loop;
+                       }
+               }
+               let nsec3_search = res.iter()
+                       .filter_map(|rr| if let RR::NSec3(nsec3) = rr { Some(nsec3) } else { None })
+                       .filter(|nsec3| nsec3.name.ends_with(zone.as_str()));
+
+               // Because we will only ever have two entries, a Vec is simpler than a map here.
+               let mut nsec3params_to_name_hash = Vec::new();
+               for nsec3 in nsec3_search.clone() {
+                       if nsec3.hash_iterations > 2500 {
+                               // RFC 5115 places different limits on the iterations based on the signature key
+                               // length, but we just use 2500 for all key types
+                               continue;
+                       }
+                       if nsec3.hash_algo != 1 { continue; }
+                       if nsec3params_to_name_hash.iter()
+                               .any(|(iterations, salt, _)| *iterations == nsec3.hash_iterations && *salt == &nsec3.salt)
+                       { continue; }
+
+                       let mut hasher = crypto::hash::Hasher::sha1();
+                       write_name(&mut hasher, &name);
+                       hasher.update(&nsec3.salt);
+                       for _ in 0..nsec3.hash_iterations {
+                               let res = hasher.finish();
+                               hasher = crypto::hash::Hasher::sha1();
+                               hasher.update(res.as_ref());
+                               hasher.update(&nsec3.salt);
+                       }
+                       nsec3params_to_name_hash.push((nsec3.hash_iterations, &nsec3.salt, hasher.finish()));
+
+                       if nsec3params_to_name_hash.len() >= 2 {
+                               // We only allow for up to two sets of hash_iterations/salt per zone. Beyond that
+                               // we assume this is a malicious DoSing proof and give up.
+                               break;
+                       }
+               }
+               for nsec3 in nsec3_search {
+                       if nsec3.flags != 0 {
+                               // This is an opt-out NSEC3 (or has unknown flags set). Thus, we shouldn't rely on
+                               // it as proof that some record doesn't exist.
+                               continue;
+                       }
+                       if nsec3.hash_algo != 1 { continue; }
+                       let name_hash = if let Some((_, _, hash)) =
+                               nsec3params_to_name_hash.iter()
+                               .find(|(iterations, salt, _)| *iterations == nsec3.hash_iterations && *salt == &nsec3.salt)
+                       {
+                               hash
+                       } else { continue };
+
+                       let (start_hash_base32, _) = nsec3.name.split_once(".")
+                               .unwrap_or_else(|| { debug_assert!(false); ("", "")});
+                       let start_hash = if let Ok(start_hash) = base32::decode(start_hash_base32) {
+                               start_hash
+                       } else { continue };
+                       if start_hash.len() != 20 || nsec3.next_name_hash.len() != 20 { continue; }
+
+                       let hash_matches = &start_hash[..] == name_hash.as_ref();
+                       let hash_contained =
+                               &start_hash[..] <= name_hash.as_ref() && &nsec3.next_name_hash[..] > name_hash.as_ref();
+                       if (hash_matches && !nsec3.types.contains_type(ty)) || hash_contained {
+                               rrs_needing_non_existence_proofs
+                                       .retain(|(n, _, t)| *n != name || (hash_matches && nsec3.types.contains_type(*t)));
+                               continue 'proof_search_loop;
+                       }
+               }
+               return Err(ValidationError::Invalid);
        }
+
+       res.retain(|rr| rr.ty() != NSec::TYPE && rr.ty() != NSec3::TYPE);
+
+       Ok(VerifiedRRStream {
+               verified_rrs: res, valid_from: latest_inception, expires: earliest_expiry,
+               max_cache_ttl: min_ttl,
+       })
 }
 
 impl<'a> VerifiedRRStream<'a> {
@@ -429,7 +602,7 @@ mod tests {
                        signature: base64::decode("GIgwndRLXgt7GX/JNEqSvpYw5ij6EgeQivdC/hmNNuOd2MCQRSxZx2DdLZUoK0tmn2XmOd0vYP06DgkIMUpIXcBstw/Um55WQhvBkBTPIhuB3UvKYJstmq+8hFHWVJwKHTg9xu38JA43VgCV2AbzurbzNOLSgq+rDPelRXzpLr5aYE3y+EuvL+I5gusm4MMajnp5S+ioWOL+yWOnQE6XKoDmlrfcTrYfRSxRtJewPmGeCbNdwEUBOoLUVdkCjQG4uFykcKL40cY8EOhVmM3kXAyuPuNe2Xz1QrIcVad/U4FDns+hd8+W+sWnr8QAtIUFT5pBjXooGS02m6eMdSeU6g==").unwrap(),
                };
                let root_hints = root_hints();
-               verify_dnskey_rrsig(&dnskey_rrsig, &root_hints, dnskeys.iter().collect()).unwrap();
+               verify_dnskeys([&dnskey_rrsig], &root_hints, dnskeys.iter().collect()).unwrap();
                let rrs = vec![dnskeys[0].clone().into(), dnskeys[1].clone().into(), dnskey_rrsig.into()];
                (dnskeys, rrs)
        }
@@ -458,7 +631,7 @@ mod tests {
                        expiration: 1710342155, inception: 1709045855, key_tag: 19718, key_name: "com.".try_into().unwrap(),
                        signature: base64::decode("lF2B9nXZn0CgytrHH6xB0NTva4G/aWvg/ypnSxJ8+ZXlvR0C4974yB+nd2ZWzWMICs/oPYMKoQHqxVjnGyu8nA==").unwrap(),
                };
-               verify_dnskey_rrsig(&dnskey_rrsig, &com_ds, dnskeys.iter().collect()).unwrap();
+               verify_dnskeys([&dnskey_rrsig], &com_ds, dnskeys.iter().collect()).unwrap();
                let rrs = vec![com_ds.pop().unwrap().into(), ds_rrsig.into(),
                        dnskeys[0].clone().into(), dnskeys[1].clone().into(), dnskey_rrsig.into()];
                (dnskeys, rrs)
@@ -491,7 +664,7 @@ mod tests {
                        expiration: 1710689605, inception: 1708871605, key_tag: 46082, key_name: "ninja.".try_into().unwrap(),
                        signature: base64::decode("kYxV1z+9Ikxqbr13N+8HFWWnAUcvHkr/dmkdf21mliUhH4cxeYCXC6a95X+YzjYQEQi3fU+S346QBDJkbFYCca5q/TzUdE7ej1B/0uTzhgNrQznm0O6sg6DI3HuqDfZp2oaBQm2C/H4vjkcUW9zxgKP8ON0KKLrZUuYelGazeGSOscjDDlmuNMD7tHhFrmK9BiiX+8sp8Cl+IE5ArP+CPXsII+P+R2QTmTqw5ovJch2FLRMRqCliEzTR/IswBI3FfegZR8h9xJ0gfyD2rDqf6lwJhD1K0aS5wxia+bgzpRIKwiGfP87GDYzkygHr83QbmZS2YG1nxlnQ2rgkqTGgXA==").unwrap(),
                };
-               verify_dnskey_rrsig(&dnskey_rrsig, &ninja_ds, dnskeys.iter().collect()).unwrap();
+               verify_dnskeys([&dnskey_rrsig], &ninja_ds, dnskeys.iter().collect()).unwrap();
                let rrs = vec![ninja_ds.pop().unwrap().into(), ds_rrsig.into(),
                        dnskeys[0].clone().into(), dnskeys[1].clone().into(), dnskeys[2].clone().into(),
                        dnskey_rrsig.into()];
@@ -525,7 +698,7 @@ mod tests {
                        expiration:1710262250, inception: 1709047250, key_tag: 25630, key_name: "mattcorallo.com.".try_into().unwrap(),
                        signature: base64::decode("dMLDvNU96m+tfgpDIQPxMBJy7T0xyZDj3Wws4b4E6+g3nt5iULdWJ8Eqrj+86KLerOVt7KH4h/YcHP18hHdMGA==").unwrap(),
                };
-               verify_dnskey_rrsig(&dnskey_rrsig, &mattcorallo_ds, dnskeys.iter().collect()).unwrap();
+               verify_dnskeys([&dnskey_rrsig], &mattcorallo_ds, dnskeys.iter().collect()).unwrap();
                let rrs = vec![mattcorallo_ds.pop().unwrap().into(), ds_rrsig.into(),
                        dnskeys[0].clone().into(), dnskeys[1].clone().into(), dnskeys[2].clone().into(),
                        dnskey_rrsig.into()];
@@ -570,7 +743,7 @@ mod tests {
                        expiration: 1709947337, inception: 1708732337, key_tag: 63175, key_name: "bitcoin.ninja.".try_into().unwrap(),
                        signature: base64::decode("Y3To5FZoZuBDUMtIBZXqzRtufyRqOlDqbHVcoZQitXxerCgNQ1CsVdmoFVMmZqRV5n4itINX2x+9G/31j410og==").unwrap(),
                };
-               verify_dnskey_rrsig(&dnskey_rrsig, &bitcoin_ninja_ds, dnskeys.iter().collect()).unwrap();
+               verify_dnskeys([&dnskey_rrsig], &bitcoin_ninja_ds, dnskeys.iter().collect()).unwrap();
                let rrs = vec![bitcoin_ninja_ds.pop().unwrap().into(), ds_rrsig.into(),
                        dnskeys[0].clone().into(), dnskeys[1].clone().into(), dnskey_rrsig.into()];
                (dnskeys, rrs)
@@ -736,7 +909,7 @@ mod tests {
                        key_tag: 8036, key_name: "nsec_tests.dnssec_proof_tests.bitcoin.ninja.".try_into().unwrap(),
                        signature: base64::decode("nX+hkH14Kvjp26Z8x/pjYh5CQW3p9lZQQ+FVJcKHyfjAilEubpw6ihlPpb3Ddh9BbyxhCEFhXDMG2g4od9Y2ow==").unwrap(),
                };
-               verify_dnskey_rrsig(&dnskey_rrsig, &bitcoin_ninja_ds, dnskeys.iter().collect()).unwrap();
+               verify_dnskeys([&dnskey_rrsig], &bitcoin_ninja_ds, dnskeys.iter().collect()).unwrap();
                let rrs = vec![bitcoin_ninja_ds.pop().unwrap().into(), ds_rrsig.into(),
                        dnskeys[0].clone().into(), dnskeys[1].clone().into(), dnskey_rrsig.into()];
                (dnskeys, rrs)
@@ -928,7 +1101,7 @@ mod tests {
                rrs.shuffle(&mut rand::rngs::OsRng);
                let mut verified_rrs = verify_rr_stream(&rrs).unwrap();
                verified_rrs.verified_rrs.sort();
-               assert_eq!(verified_rrs.verified_rrs.len(), 5);
+               assert_eq!(verified_rrs.verified_rrs.len(), 2);
                if let RR::Txt(txt) = &verified_rrs.verified_rrs[0] {
                        assert_eq!(txt.name.as_str(), "asdf.wildcard_test.dnssec_proof_tests.bitcoin.ninja.");
                        assert_eq!(txt.data, b"wildcard_test");
@@ -947,6 +1120,81 @@ mod tests {
                } else { panic!(); }
        }
 
+       #[test]
+       fn check_simple_nsec_zone_proof() {
+               let mut rr_stream = Vec::new();
+               for rr in root_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); }
+               for rr in ninja_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); }
+               for rr in bitcoin_ninja_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); }
+               for rr in bitcoin_ninja_nsec_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); }
+               let (txt, txt_rrsig) = bitcoin_ninja_nsec_record();
+               for rr in [RR::Txt(txt), RR::RRSig(txt_rrsig)] { write_rr(&rr, 1, &mut rr_stream); }
+
+               let mut rrs = parse_rr_stream(&rr_stream).unwrap();
+               rrs.shuffle(&mut rand::rngs::OsRng);
+               let verified_rrs = verify_rr_stream(&rrs).unwrap();
+               let filtered_rrs =
+                       verified_rrs.resolve_name(&"a.nsec_tests.dnssec_proof_tests.bitcoin.ninja.".try_into().unwrap());
+               assert_eq!(filtered_rrs.len(), 1);
+               if let RR::Txt(txt) = &filtered_rrs[0] {
+                       assert_eq!(txt.name.as_str(), "a.nsec_tests.dnssec_proof_tests.bitcoin.ninja.");
+                       assert_eq!(txt.data, b"txt_a");
+               } else { panic!(); }
+       }
+
+       #[test]
+       fn check_nsec_wildcard_proof() {
+               let check_proof = |pfx: &str, post_override: bool| -> Result<(), ()> {
+                       let mut rr_stream = Vec::new();
+                       for rr in root_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); }
+                       for rr in ninja_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); }
+                       for rr in bitcoin_ninja_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); }
+                       for rr in bitcoin_ninja_nsec_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); }
+                       let (txt, txt_rrsig, nsec, nsec_rrsig) = if post_override {
+                               bitcoin_ninja_nsec_post_override_wildcard_record(pfx)
+                       } else {
+                               bitcoin_ninja_nsec_wildcard_record(pfx)
+                       };
+                       for rr in [RR::Txt(txt), RR::RRSig(txt_rrsig)] { write_rr(&rr, 1, &mut rr_stream); }
+                       for rr in [RR::NSec(nsec), RR::RRSig(nsec_rrsig)] { write_rr(&rr, 1, &mut rr_stream); }
+
+                       let mut rrs = parse_rr_stream(&rr_stream).unwrap();
+                       rrs.shuffle(&mut rand::rngs::OsRng);
+                       // If the post_override flag is wrong (or the pfx is override), this will fail. No
+                       // other calls in this lambda should fail.
+                       let verified_rrs = verify_rr_stream(&rrs).map_err(|_| ())?;
+                       let name: Name =
+                               (pfx.to_owned() + ".wildcard_test.nsec_tests.dnssec_proof_tests.bitcoin.ninja.").try_into().unwrap();
+                       let filtered_rrs = verified_rrs.resolve_name(&name);
+                       assert_eq!(filtered_rrs.len(), 1);
+                       if let RR::Txt(txt) = &filtered_rrs[0] {
+                               assert_eq!(txt.name, name);
+                               assert_eq!(txt.data, b"wildcard_test");
+                       } else { panic!(); }
+                       Ok(())
+               };
+               // Records up to override will only work with the pre-override NSEC, and afterwards with
+               // the post-override NSEC. The literal override will always fail.
+               check_proof("a", false).unwrap();
+               check_proof("a", true).unwrap_err();
+               check_proof("a.b", false).unwrap();
+               check_proof("a.b", true).unwrap_err();
+               check_proof("o", false).unwrap();
+               check_proof("o", true).unwrap_err();
+               check_proof("a.o", false).unwrap();
+               check_proof("a.o", true).unwrap_err();
+               check_proof("override", false).unwrap_err();
+               check_proof("override", true).unwrap_err();
+               // Subdomains of override are also overridden by the override TXT entry and cannot use the
+               // wildcard record.
+               check_proof("b.override", false).unwrap_err();
+               check_proof("b.override", true).unwrap_err();
+               check_proof("z", false).unwrap_err();
+               check_proof("z", true).unwrap_err();
+               check_proof("a.z", false).unwrap_err();
+               check_proof("a.z", true).unwrap_err();
+       }
+
        #[test]
        fn check_txt_sort_order() {
                let mut rr_stream = Vec::new();
Generates and validates RFC 9102-formatted DNSSEC proofs