]> git.ipfire.org Git - thirdparty/systemd.git/commit
projects / thirdparty / systemd.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: c0561a0) | patch
resolved: limit the number of signature validations in a transaction
authorRonan Pigott <ronan@rjp.ie>
Sun, 25 Feb 2024 01:21:24 +0000 (18:21 -0700)
committerRonan Pigott <ronan@rjp.ie>
Mon, 26 Feb 2024 08:55:57 +0000 (01:55 -0700)
commit67d0ce8843d612a2245d0966197d4f528b911b66
tree1c8de6ade4881b870e991bbbe3a29200c658bbb2tree | snapshot
parentc0561a05f5e3967a40e9ceb5e48b712c4574862ecommit | diff
resolved: limit the number of signature validations in a transaction

It has been demonstrated that tolerating an unbounded number of dnssec
signature validations is a bad idea. It is easy for a maliciously
crafted DNS reply to contain as many keytag collisions as desired,
causing us to iterate every dnskey and signature combination in vain.

The solution is to impose a maximum number of validations we will
tolerate. While collisions are not hard to craft, I still expect they
are unlikely in the wild so it should be safe to pick fairly small
values.

Here two limits are imposed: one on the maximum number of invalid
signatures encountered per rrset, and another on the total number of
validations performed per transaction.
src/resolve/resolved-dns-dnssec.c diff | blob | blame | history
src/resolve/resolved-dns-dnssec.h diff | blob | blame | history
src/resolve/resolved-dns-transaction.c diff | blob | blame | history
Unnamed repository; edit this file 'description' to name the repository.