Invalid AuthenticationChain for wildcard records

[buffrr]

Wildcard records require a non-existence proof either NSEC or NSEC3 to prove no exact match exists which is not included in AuthenticationChain created by this library. Standard DNSSEC validators would consider such chains bogus.

Let's say I want secret.buffrr.dev to use some certificate while everything else *.buffrr.dev to use another certificate, I could add the following records to my zone:

_443._tcp.secret.buffrr.dev TLSA ....
*.buffrr.dev TLSA ....

Using the validator in this library, I could fool it into accepting the TLSA record labelled *.buffrr.dev for _443._tcp.secret.buffrr.dev while a standard DNSSEC validator would not. If an RRSIG is covering a wildcard (determined by number of labels), then NSECs or NSEC3s are required in the AuthenticationChain to prove no exact match exists.

Since this BIP requires following the RFC, I would suggest either fixing it or perhaps reconsidering support for wildcard records. Otherwise, it won't be compatible with all the validators out there unless every integration of the BIP uses this exact implementation.

I appreciate the effort put into developing this library and making it generic enough for other use cases. I just gave it a quick pass but will try to go deeper once I have some time since i'm considering it for other projects. Btw RFC-9102 includes some test vectors in the appendix that might be helpful.

[TheBlueMatt]

Fixed, thanks.