- Make access-control-tag-data RDATA absolute. This makes the RDATA origin

consistent between local-data and access-control-tag-data.
- Fix NSEC ENT wildcard check. Matching wildcard does not have to be a subdomain
  of the NSEC owner.



git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@3930 be551aaa-1e26-0410-a405-d3ace91eadb9

doc/Changelog

@@ -1,3 +1,9 @@
+22 Novenber 2016: Ralph
+	- Make access-control-tag-data RDATA absolute. This makes the RDATA
+	  origin consistent between local-data and access-control-tag-data.
+	- Fix NSEC ENT wildcard check. Matching wildcard does not have to be a
+	  subdomain of the NSEC owner.
+
 22 November 2016: Wouter
 	- iana portlist update.
 	- Fix unit tests for DS hash processing for fake-dsa test option.

services/localzone.c

@@ -1233,7 +1233,7 @@ find_tag_datas(struct query_info* qinfo, struct config_strlist* list,
 		/* does this element match the type? */
 		snprintf(buf, sizeof(buf), ". %s", p->str);
 		res = sldns_str2wire_rr_buf(buf, rr, &len, NULL, 3600,
-			zname, zlen, NULL, 0);
+			NULL, 0, NULL, 0);
 		if(res != 0)
 			/* parse errors are already checked before, in
 			 * acllist check_data, skip this for robustness */

validator/val_nsec.c

@@ -343,7 +343,7 @@ int nsec_proves_nodata(struct ub_packed_rrset_key* nsec,
 		} else {
 			/* See if the next owner name covers a wildcard
 			 * empty non-terminal. */
-			while (dname_strict_subdomain_c(nm, nsec->rk.dname)) {
+			while (dname_canonical_compare(nsec->rk.dname, nm) < 0) {
 				/* wildcard does not apply if qname below
 				 * the name that exists under the '*' */
 				if (dname_subdomain_c(qinfo->qname, nm))