]>
Commit | Line | Data |
---|---|---|
6644c1c7 MT |
1 | From 5e321739db381a1d7b5964d76e9c81471d2564c9 Mon Sep 17 00:00:00 2001 |
2 | From: Simon Kelley <simon@thekelleys.org.uk> | |
3 | Date: Mon, 12 Jan 2015 23:16:56 +0000 | |
4 | Subject: [PATCH 30/55] Don't answer from cache RRsets from wildcards, as we | |
5 | don't have NSECs. | |
6 | ||
7 | --- | |
8 | src/dnssec.c | 9 ++++++++- | |
9 | 1 file changed, 8 insertions(+), 1 deletion(-) | |
10 | ||
11 | diff --git a/src/dnssec.c b/src/dnssec.c | |
12 | index afb3dca38cb1..d39ab85ed966 100644 | |
13 | --- a/src/dnssec.c | |
14 | +++ b/src/dnssec.c | |
15 | @@ -1818,11 +1818,14 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch | |
16 | struct blockdata *key; | |
17 | struct crec *crecp; | |
18 | char *wildname; | |
19 | + int have_wildcard = 0; | |
20 | ||
21 | rc = validate_rrset(now, header, plen, class1, type1, name, keyname, &wildname, NULL, 0, 0, 0); | |
22 | ||
23 | if (rc == STAT_SECURE_WILDCARD) | |
24 | { | |
25 | + have_wildcard = 1; | |
26 | + | |
27 | /* An attacker replay a wildcard answer with a different | |
28 | answer and overlay a genuine RR. To prove this | |
29 | hasn't happened, the answer must prove that | |
30 | @@ -1913,7 +1916,11 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch | |
31 | p2 += 13; /* labels, orig_ttl, expiration, inception */ | |
32 | GETSHORT(keytag, p2); | |
33 | ||
34 | - if ((key = blockdata_alloc((char*)psave, rdlen2))) | |
35 | + /* We don't cache sigs for wildcard answers, because to reproduce the | |
36 | + answer from the cache will require one or more NSEC/NSEC3 records | |
37 | + which we don't cache. The lack of the RRSIG ensures that a query for | |
38 | + this RRset asking for a secure answer will always be forwarded. */ | |
39 | + if (!have_wildcard && (key = blockdata_alloc((char*)psave, rdlen2))) | |
40 | { | |
41 | if (!(crecp = cache_insert(name, &a, now, ttl, F_FORWARD | F_DNSKEY | F_DS))) | |
42 | blockdata_free(key); | |
43 | -- | |
44 | 2.1.0 | |
45 |