limit the number of NSEC3 iterations RFC5155 10.3

diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc
index ce7184e9611b6501bae6665b0f779fc53871cce7..cff84a2fb5e344125d1a9041f5c00e66ec403af2 100644 (file)
--- a/pdns/common_startup.cc
+++ b/pdns/common_startup.cc
@@ -159,6 +159,7 @@ void declareArguments()
   ::arg().set("default-ksk-size","Default KSK size (0 means default)")="0";
   ::arg().set("default-zsk-algorithms","Default ZSK algorithms")="rsasha256";
   ::arg().set("default-zsk-size","Default ZSK size (0 means default)")="0";
+  ::arg().set("max-nsec3-iterations","Limit the number of NSEC3 hash iterations")="500"; // RFC5155 10.3
 
   ::arg().set("include-dir","Include *.conf files from this directory");
 }

diff --git a/pdns/dbdnsseckeeper.cc b/pdns/dbdnsseckeeper.cc
index 1c7c7242f4b5f1adb836b186a508bbf683123091..da7b37f56d810eb04e8fb087bfb408adb05cf7d4 100644 (file)
--- a/pdns/dbdnsseckeeper.cc
+++ b/pdns/dbdnsseckeeper.cc
@@ -233,11 +233,16 @@ bool DNSSECKeeper::getNSEC3PARAM(const std::string& zname, NSEC3PARAMRecordConte
   if(value.empty()) { // "no NSEC3"
     return false;
   }
-     
+
+  static int maxNSEC3Iterations=::arg().asNum("max-nsec3-iterations");
   if(ns3p) {
     NSEC3PARAMRecordContent* tmp=dynamic_cast<NSEC3PARAMRecordContent*>(DNSRecordContent::mastermake(QType::NSEC3PARAM, 1, value));
     *ns3p = *tmp;
     delete tmp;
+    if (ns3p->d_iterations > maxNSEC3Iterations) {
+      ns3p->d_iterations = maxNSEC3Iterations;
+      L<<Logger::Error<<"Number of NSEC3 iterations for zone '"<<zname<<"' is above 'max-nsec3-iterations'. Value adjusted to: "<<maxNSEC3Iterations<<endl;
+    }
   }
   if(narrow) {
     getFromMeta(zname, "NSEC3NARROW", value);
@@ -248,6 +253,10 @@ bool DNSSECKeeper::getNSEC3PARAM(const std::string& zname, NSEC3PARAMRecordConte
 
 bool DNSSECKeeper::setNSEC3PARAM(const std::string& zname, const NSEC3PARAMRecordContent& ns3p, const bool& narrow)
 {
+  static int maxNSEC3Iterations=::arg().asNum("max-nsec3-iterations");
+  if (ns3p.d_iterations > maxNSEC3Iterations)
+    throw runtime_error("Can't set NSEC3PARAM for zone '"+zname+"': number of NSEC3 iterations is above 'max-nsec3-iterations'");
+
   clearCaches(zname);
   string descr = ns3p.getZoneRepresentation();
   vector<string> meta;

diff --git a/pdns/pdns.conf-dist b/pdns/pdns.conf-dist
index f74fc73ecfe30cd6a2bc7da1a7e518c573ca98bc..fc767ac65c680ea6d6eb65d3a06afcef52c95ee7 100644 (file)
--- a/pdns/pdns.conf-dist
+++ b/pdns/pdns.conf-dist
@@ -264,6 +264,11 @@
 #
 # max-ent-entries=100000
 
+#################################
+# max-nsec3-iterations Limit the number of NSEC3 hash iterations
+#
+# max-nsec3-iterations=500
+
 #################################
 # max-queue-length     Maximum queuelength before considering situation lost
 #

diff --git a/pdns/pdnssec.cc b/pdns/pdnssec.cc
index 9379461d7fd463af47830a5d6435a05258a8c026..06687b79467eea6e4bef01128cd341b97a377392 100644 (file)
--- a/pdns/pdnssec.cc
+++ b/pdns/pdnssec.cc
@@ -137,6 +137,7 @@ void loadMainConfig(const std::string& configdir)
   ::arg().set("entropy-source", "If set, read entropy from this file")="/dev/urandom";
 
   ::arg().setSwitch("direct-dnskey","Fetch DNSKEY RRs from backend during DNSKEY synthesis")="no";
+  ::arg().set("max-nsec3-iterations","Limit the number of NSEC3 hash iterations")="500"; // RFC5155 10.3
   ::arg().laxFile(configname.c_str());
 
   BackendMakers().launch(::arg()["launch"]); // vrooooom!

diff --git a/pdns/rfc2136handler.cc b/pdns/rfc2136handler.cc
index 408b16ad182743b2863963e6d336c3a86ff24029..d4dadf778bf55a12eae2dda42cabb298811a4694 100644 (file)
--- a/pdns/rfc2136handler.cc
+++ b/pdns/rfc2136handler.cc
@@ -921,6 +921,11 @@ int PacketHandler::processUpdate(DNSPacket *p) {
     di.backend->abortTransaction();
     return RCode::ServFail;
   }
+  catch(std::exception &e) {
+    L<<Logger::Error<<msgPrefix<<"Caught std:exception: "<<e.what()<<"; Sending ServFail!"<<endl;
+    di.backend->abortTransaction();
+    return RCode::ServFail;
+  }
   catch (...) {
     L<<Logger::Error<<msgPrefix<<"Caught unknown exception when performing update. Sending ServFail!"<<endl;
     di.backend->abortTransaction();