Fix issues verifying proofs built from 9.9.9.9

Sometimes proofs built from 9.9.9.9 include duplicate NSEC3
records, which we have to filter out before signature verification
or we'll get spurious signature verification errors.

diff --git a/src/validation.rs b/src/validation.rs
index 61ef023902c0481f051a96b26851f60b8ede666d..6417f0945e8ee9f213d36df2c767935d5c5676e5 100644 (file)
--- a/src/validation.rs
+++ b/src/validation.rs
@@ -90,6 +90,11 @@ where Keys: IntoIterator<Item = &'a DnsKey> {
 
                        records.sort_unstable();
 
+                       // Some recursive resolvers (at least 9.9.9.9) give us a few too many records, and the
+                       // proof builder is too naive to filter them out. Instead, we filter them out here, as
+                       // there's no security harm to just removing identical records here.
+                       records.dedup();
+
                        for record in records.iter() {
                                let record_labels = record.name().labels() as usize;
                                let labels = sig.labels.into();