]>
Commit | Line | Data |
---|---|---|
c6ce1e7e MT |
1 | From 0b8a5a30a77331974ba24a04e43e720585dfbc61 Mon Sep 17 00:00:00 2001 |
2 | From: Simon Kelley <simon@thekelleys.org.uk> | |
3 | Date: Fri, 27 Mar 2015 11:44:55 +0000 | |
efbd3a9a | 4 | Subject: [PATCH 63/98] Protect against broken DNSSEC upstreams. |
c6ce1e7e MT |
5 | |
6 | --- | |
7 | src/dnssec.c | 7 +++++-- | |
8 | 1 file changed, 5 insertions(+), 2 deletions(-) | |
9 | ||
10 | diff --git a/src/dnssec.c b/src/dnssec.c | |
11 | index db5c768bd751..14bae7e9bf75 100644 | |
12 | --- a/src/dnssec.c | |
13 | +++ b/src/dnssec.c | |
14 | @@ -1177,7 +1177,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch | |
15 | STAT_NO_DS It's proved there's no DS here. | |
16 | STAT_NO_NS It's proved there's no DS _or_ NS here. | |
17 | STAT_BOGUS no DS in reply or not signed, fails validation, bad packet. | |
18 | - STAT_NEED_DNSKEY DNSKEY records to validate a DS not found, name in keyname | |
19 | + STAT_NEED_KEY DNSKEY records to validate a DS not found, name in keyname | |
20 | */ | |
21 | ||
22 | int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class) | |
23 | @@ -1208,7 +1208,10 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char | |
24 | if (!(p = skip_section(p, ntohs(header->ancount), header, plen))) | |
25 | val = STAT_BOGUS; | |
26 | ||
27 | - if (val == STAT_BOGUS) | |
28 | + /* If the key needed to validate the DS is on the same domain as the DS, we'll | |
29 | + loop getting nowhere. Stop that now. This can happen of the DS answer comes | |
30 | + from the DS's zone, and not the parent zone. */ | |
31 | + if (val == STAT_BOGUS || (val == STAT_NEED_KEY && hostname_isequal(name, keyname))) | |
32 | { | |
33 | log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "BOGUS DS"); | |
34 | return STAT_BOGUS; | |
35 | -- | |
36 | 2.1.0 | |
37 |