Check DNSKEY on denial of DS

spevnev · spevnev · commit 272c18bfbcfe · 2025-08-03T21:38:10.000-04:00
diff --git a/src/dnssec.cc b/src/dnssec.cc
@@ -421,9 +421,8 @@ std::optional<NSEC3> find_matching_nsec3(const std::vector<RR> &nsec3_rrset, con
         const auto &nsec3 = std::get<NSEC3>(nsec3_rrset[0].data);
 
         auto matching_domain = get_nsec3_domain(nsec3, domain, zone_domain);
-        for (const auto &nsec3_rr : nsec3_rrset) {
-            if (nsec3_rr.domain == matching_domain) return std::get<NSEC3>(nsec3_rr.data);
-        }
+        auto nsec3_rr = std::ranges::find(nsec3_rrset, matching_domain, &RR::domain);
+        if (nsec3_rr != nsec3_rrset.end()) return std::get<NSEC3>(nsec3_rr->data);
     } catch (...) {
     }
     return std::nullopt;
@@ -614,27 +613,26 @@ bool authenticate_name_error(const std::string &domain, const std::vector<RR> &n
     return false;
 }
 
-bool authenticate_no_ds(const std::string &domain, const std::vector<RR> &nsec3_rrset, const std::optional<RR> &nsec_rr,
-                        const std::string &zone_domain) {
+std::optional<bool> authenticate_no_ds(const std::string &domain, const std::vector<RR> &nsec3_rrset,
+                                       const std::optional<RR> &nsec_rr, const std::string &zone_domain) {
     if (!nsec3_rrset.empty()) {
         auto nsec3 = find_matching_nsec3(nsec3_rrset, domain, zone_domain);
         if (nsec3.has_value()) {
-            if (nsec3->types.contains(RRType::DS) || nsec3->types.contains(RRType::CNAME)) return false;
-
-            return true;
+            if (nsec3->types.contains(RRType::DS) || nsec3->types.contains(RRType::CNAME)) return std::nullopt;
+            return nsec3->types.contains(RRType::DNSKEY);
         }
 
         // If no NSEC3 matches the name, the next closer NSEC3 must have opt out flag set.
         auto encloser_proof = verify_closest_encloser_proof(nsec3_rrset, domain, zone_domain);
-        return encloser_proof.has_value() && encloser_proof->next_closer_opt_out;
+        if (!encloser_proof.has_value() || !encloser_proof->next_closer_opt_out) return std::nullopt;
+        return true;
     }
 
-    if (!nsec_rr.has_value() || nsec_rr->type != RRType::NSEC) return false;
+    if (!nsec_rr.has_value() || nsec_rr->type != RRType::NSEC) return std::nullopt;
     const auto &nsec = std::get<NSEC>(nsec_rr->data);
 
-    if (nsec.types.contains(RRType::DS) || nsec.types.contains(RRType::CNAME)) return false;
-
-    return true;
+    if (nsec.types.contains(RRType::DS) || nsec.types.contains(RRType::CNAME)) return std::nullopt;
+    return nsec.types.contains(RRType::DNSKEY);
 }
 
 bool authenticate_no_rrset(RRType rr_type, const std::string &domain, const std::vector<RR> &nsec3_rrset,
diff --git a/src/dnssec.hh b/src/dnssec.hh
@@ -15,8 +15,9 @@ bool authenticate_delegation(const std::vector<RR> &dnskey_rrset, const std::vec
                              const std::vector<RRSIG> &rrsigs, const std::string &zone_domain);
 bool authenticate_name_error(const std::string &domain, const std::vector<RR> &nsec3_rrset,
                              const std::vector<RR> &nsec_rrset, const std::string &zone_domain);
-bool authenticate_no_ds(const std::string &domain, const std::vector<RR> &nsec3_rrset, const std::optional<RR> &nsec_rr,
-                        const std::string &zone_domain);
+// Authenticate the denial of existence of DS RRset, and returns whether the domain has DNSKEY.
+std::optional<bool> authenticate_no_ds(const std::string &domain, const std::vector<RR> &nsec3_rrset,
+                                       const std::optional<RR> &nsec_rr, const std::string &zone_domain);
 bool authenticate_no_rrset(RRType rr_type, const std::string &domain, const std::vector<RR> &nsec3_rrset,
                            const std::optional<RR> &nsec_rr, const std::string &zone_domain);
 };  // namespace dnssec
diff --git a/src/resolve.cc b/src/resolve.cc
@@ -615,10 +615,12 @@ std::optional<std::vector<RR>> Resolver::resolve_rec(const std::string &domain,
                             auto nsec3_rrset = get_rrset(response.authority, RRType::NSEC3, *zone);
                             auto nsec_rrset = get_rrset(response.authority, RRType::NSEC, referral_zone->domain, *zone);
                             auto nsec_rr = nsec_rrset.empty() ? std::nullopt : std::optional<RR>{nsec_rrset[0]};
-                            if (!dnssec::authenticate_no_ds(referral_zone->domain, nsec3_rrset, nsec_rr,
-                                                            zone->domain)) {
+                            auto result
+                                = dnssec::authenticate_no_ds(referral_zone->domain, nsec3_rrset, nsec_rr, zone->domain);
+                            if (!result.has_value()) {
                                 throw std::runtime_error("Failed to authenticate the denial of existence");
                             }
+                            referral_zone->enable_dnssec = result.value();
                         }
                     }
 

Original file line number	Diff line number	Diff line change
`@@ -615,10 +615,12 @@ std::optional<std::vector<RR>> Resolver::resolve_rec(const std::string &domain,`
`615`	`615`	`auto nsec3_rrset = get_rrset(response.authority, RRType::NSEC3, *zone);`
`616`	`616`	`auto nsec_rrset = get_rrset(response.authority, RRType::NSEC, referral_zone->domain, *zone);`
`617`	`617`	`auto nsec_rr = nsec_rrset.empty() ? std::nullopt : std::optional<RR>{nsec_rrset[0]};`
`618`		`- if (!dnssec::authenticate_no_ds(referral_zone->domain, nsec3_rrset, nsec_rr,`
`619`		`- zone->domain)) {`
	`618`	`+ auto result`
	`619`	`+ = dnssec::authenticate_no_ds(referral_zone->domain, nsec3_rrset, nsec_rr, zone->domain);`
	`620`	`+ if (!result.has_value()) {`
`620`	`621`	`throw std::runtime_error("Failed to authenticate the denial of existence");`
`621`	`622`	`}`
	`623`	`+ referral_zone->enable_dnssec = result.value();`
`622`	`624`	`}`
`623`	`625`	`}`
`624`	`626`