--- /dev/null
+From 0b8a5a30a77331974ba24a04e43e720585dfbc61 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Fri, 27 Mar 2015 11:44:55 +0000
+Subject: [PATCH 63/71] Protect against broken DNSSEC upstreams.
+
+---
+ src/dnssec.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/dnssec.c b/src/dnssec.c
+index db5c768bd751..14bae7e9bf75 100644
+--- a/src/dnssec.c
++++ b/src/dnssec.c
+@@ -1177,7 +1177,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
+ STAT_NO_DS It's proved there's no DS here.
+ STAT_NO_NS It's proved there's no DS _or_ NS here.
+ STAT_BOGUS no DS in reply or not signed, fails validation, bad packet.
+- STAT_NEED_DNSKEY DNSKEY records to validate a DS not found, name in keyname
++ STAT_NEED_KEY DNSKEY records to validate a DS not found, name in keyname
+ */
+
+ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class)
+@@ -1208,7 +1208,10 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
+ if (!(p = skip_section(p, ntohs(header->ancount), header, plen)))
+ val = STAT_BOGUS;
+
+- if (val == STAT_BOGUS)
++ /* If the key needed to validate the DS is on the same domain as the DS, we'll
++ loop getting nowhere. Stop that now. This can happen of the DS answer comes
++ from the DS's zone, and not the parent zone. */
++ if (val == STAT_BOGUS || (val == STAT_NEED_KEY && hostname_isequal(name, keyname)))
+ {
+ log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "BOGUS DS");
+ return STAT_BOGUS;
+--
+2.1.0
+
projects / ipfire-2.x.git / blobdiff