1 From 5e321739db381a1d7b5964d76e9c81471d2564c9 Mon Sep 17 00:00:00 2001
2 From: Simon Kelley <simon@thekelleys.org.uk>
3 Date: Mon, 12 Jan 2015 23:16:56 +0000
4 Subject: [PATCH 030/113] Don't answer from cache RRsets from wildcards, as we
8 src/dnssec.c | 9 ++++++++-
9 1 file changed, 8 insertions(+), 1 deletion(-)
11 diff --git a/src/dnssec.c b/src/dnssec.c
12 index afb3dca38cb1..d39ab85ed966 100644
15 @@ -1818,11 +1818,14 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
16 struct blockdata *key;
19 + int have_wildcard = 0;
21 rc = validate_rrset(now, header, plen, class1, type1, name, keyname, &wildname, NULL, 0, 0, 0);
23 if (rc == STAT_SECURE_WILDCARD)
27 /* An attacker replay a wildcard answer with a different
28 answer and overlay a genuine RR. To prove this
29 hasn't happened, the answer must prove that
30 @@ -1913,7 +1916,11 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
31 p2 += 13; /* labels, orig_ttl, expiration, inception */
34 - if ((key = blockdata_alloc((char*)psave, rdlen2)))
35 + /* We don't cache sigs for wildcard answers, because to reproduce the
36 + answer from the cache will require one or more NSEC/NSEC3 records
37 + which we don't cache. The lack of the RRSIG ensures that a query for
38 + this RRset asking for a secure answer will always be forwarded. */
39 + if (!have_wildcard && (key = blockdata_alloc((char*)psave, rdlen2)))
41 if (!(crecp = cache_insert(name, &a, now, ttl, F_FORWARD | F_DNSKEY | F_DS)))