Add nameerror proof

middleware/file/closest.go

@@ -20,3 +20,45 @@ func (z *Zone) ClosestEncloser(rr dns.RR) string {
 
 	return z.SOA.Header().Name
 }
+
+// nameErrorProof finds the closest encloser and return an NSEC that proofs
+// the wildcard does not exist and an NSEC that proofs the name does no exist.
+func (z *Zone) nameErrorProof(rr dns.RR) []dns.RR {
+	elem := z.Tree.Prev(rr)
+	if elem == nil {
+		return nil
+	}
+	nsec := z.lookupNSEC(elem, true)
+	nsecIndex := 0
+	for i := 0; i < len(nsec); i++ {
+		if nsec[i].Header().Rrtype == dns.TypeNSEC {
+			nsecIndex = i
+			break
+		}
+	}
+
+	ce := z.ClosestEncloser(rr)
+	wildcard := "*." + ce
+	rr.Header().Name = wildcard
+	elem = z.Tree.Prev(rr)
+	if elem == nil {
+		// Root?
+		return nil
+	}
+	nsec1 := z.lookupNSEC(elem, true)
+	nsec1Index := 0
+	for i := 0; i < len(nsec1); i++ {
+		if nsec1[i].Header().Rrtype == dns.TypeNSEC {
+			nsec1Index = i
+			break
+		}
+	}
+
+	// Check for duplicate NSEC.
+	if nsec[nsecIndex].Header().Name == nsec1[nsec1Index].Header().Name &&
+		nsec[nsecIndex].(*dns.NSEC).NextDomain == nsec1[nsec1Index].(*dns.NSEC).NextDomain {
+		return nsec
+	}
+
+	return append(nsec, nsec1...)
+}

middleware/file/dnssec_test.go

@@ -64,6 +64,33 @@ var dnssecTestCases = []coretest.Case{
 		Qname: "b.miek.nl.", Qtype: dns.TypeA, Do: true,
 		Rcode: dns.RcodeNameError,
 		Ns: []dns.RR{
+			coretest.NSEC("archive.miek.nl.	14400	IN	NSEC	go.dns.miek.nl. CNAME RRSIG NSEC"),
+			coretest.RRSIG("archive.miek.nl.	14400	IN	RRSIG	NSEC 8 3 14400 20160426031301 20160327031301 12051 miek.nl. jEpx8lcp4do5fWXg="),
+			coretest.NSEC("miek.nl.	14400	IN	NSEC	a.miek.nl. A NS SOA MX AAAA RRSIG NSEC DNSKEY"),
+			coretest.RRSIG("miek.nl.	14400	IN	RRSIG	NSEC 8 2 14400 20160426031301 20160327031301 12051 miek.nl. mFfc3r/9PSC1H6oSpdC"),
+			coretest.RRSIG("miek.nl.	1800	IN	RRSIG	SOA 8 2 1800 20160426031301 20160327031301 12051 miek.nl. FIrzy07acBbtyQczy1dc="),
+			coretest.SOA("miek.nl.	1800	IN	SOA	linode.atoom.net. miek.miek.nl. 1282630057 14400 3600 604800 14400"),
+		},
+	},
+	{
+		Qname: "b.blaat.miek.nl.", Qtype: dns.TypeA, Do: true,
+		Rcode: dns.RcodeNameError,
+		Ns: []dns.RR{
+			coretest.NSEC("archive.miek.nl.	14400	IN	NSEC	go.dns.miek.nl. CNAME RRSIG NSEC"),
+			coretest.RRSIG("archive.miek.nl.	14400	IN	RRSIG	NSEC 8 3 14400 20160426031301 20160327031301 12051 miek.nl. jEpx8lcp4do5fWXg="),
+			coretest.NSEC("miek.nl.	14400	IN	NSEC	a.miek.nl. A NS SOA MX AAAA RRSIG NSEC DNSKEY"),
+			coretest.RRSIG("miek.nl.	14400	IN	RRSIG	NSEC 8 2 14400 20160426031301 20160327031301 12051 miek.nl. mFfc3r/9PSC1H6oSpdC"),
+			coretest.RRSIG("miek.nl.	1800	IN	RRSIG	SOA 8 2 1800 20160426031301 20160327031301 12051 miek.nl. FIrzy07acBbtyQczy1dc="),
+			coretest.SOA("miek.nl.	1800	IN	SOA	linode.atoom.net. miek.miek.nl. 1282630057 14400 3600 604800 14400"),
+		},
+	},
+	{
+		Qname: "b.a.miek.nl.", Qtype: dns.TypeA, Do: true,
+		Rcode: dns.RcodeNameError,
+		Ns: []dns.RR{
+			// dedupped NSEC, because 1 nsec tells all
+			coretest.NSEC("a.miek.nl.	14400	IN	NSEC	archive.miek.nl. A AAAA RRSIG NSEC"),
+			coretest.RRSIG("a.miek.nl.	14400	IN	RRSIG	NSEC 8 3 14400 20160426031301 20160327031301 12051 miek.nl. GqnF6cut/RRGPQ1QGQE1ipmSHEao="),
 			coretest.RRSIG("miek.nl.	1800	IN	RRSIG	SOA 8 2 1800 20160426031301 20160327031301 12051 miek.nl. FIrzy07acBbtyQczy1dc="),
 			coretest.SOA("miek.nl.	1800	IN	SOA	linode.atoom.net. miek.miek.nl. 1282630057 14400 3600 604800 14400"),
 		},

middleware/file/lookup.go

@@ -72,8 +72,7 @@ func (z *Zone) nameError(elem *tree.Elem, rr dns.RR, do bool) ([]dns.RR, []dns.R
 	ret := []dns.RR{z.SOA}
 	if do {
 		ret = append(ret, z.SIG...)
-		// Now we need two NSEC, one to deny the wildcard and one to deny the name.
-		// Needs closest encloser!!
+		ret = append(ret, z.nameErrorProof(rr)...)
 	}
 	return nil, ret, nil, NameError
 }