From 37251f01bdba40cf0c80d294eb802af3a9c6f6bb Mon Sep 17 00:00:00 2001 From: Matt Corallo Date: Mon, 18 Nov 2024 14:49:36 +0000 Subject: [PATCH] Fix issues verifying proofs built from 9.9.9.9 Sometimes proofs built from 9.9.9.9 include duplicate NSEC3 records, which we have to filter out before signature verification or we'll get spurious signature verification errors. --- src/validation.rs | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/validation.rs b/src/validation.rs index 61ef023..6417f09 100644 --- a/src/validation.rs +++ b/src/validation.rs @@ -90,6 +90,11 @@ where Keys: IntoIterator { records.sort_unstable(); + // Some recursive resolvers (at least 9.9.9.9) give us a few too many records, and the + // proof builder is too naive to filter them out. Instead, we filter them out here, as + // there's no security harm to just removing identical records here. + records.dedup(); + for record in records.iter() { let record_labels = record.name().labels() as usize; let labels = sig.labels.into(); -- 2.39.5