tls-service-key, tls-service-pem, stub-tls-upstream and
forward-tls-upstream.
- Fix #3397: Fix that cachedb could return a partial CNAME chain.
+ - Fix #3397: Fix that when the cache contains an unsigned DNAME in
+ the middle of a cname chain, a result without the DNAME could
+ be returned.
19 January 2018: Wouter
- tag 1.6.8 for release with CVE fix.
/** synthesize DNAME+CNAME response from cached DNAME item */
static struct dns_msg*
synth_dname_msg(struct ub_packed_rrset_key* rrset, struct regional* region,
- time_t now, struct query_info* q)
+ time_t now, struct query_info* q, struct module_env* env)
{
struct dns_msg* msg;
struct ub_packed_rrset_key* ck;
return NULL;
/* only allow validated (with DNSSEC) DNAMEs used from cache
* for insecure DNAMEs, query again. */
- if(d->security != sec_status_secure)
- return NULL;
+ if(d->security != sec_status_secure) {
+ /* but if we have a CNAME cached with this name, then we
+ * have previously already allowed this name to pass.
+ * the next cache lookup is going to fetch that CNAME itself,
+ * but it is better to have the (unsigned)DNAME + CNAME in
+ * that case */
+ struct ub_packed_rrset_key* cname_rrset = rrset_cache_lookup(
+ env->rrset_cache, q->qname, q->qname_len,
+ LDNS_RR_TYPE_CNAME, q->qclass, 0, now, 0);
+ if(!cname_rrset)
+ return NULL;
+ lock_rw_unlock(&cname_rrset->entry.lock);
+ }
msg = gen_dns_msg(region, q, 2); /* DNAME + CNAME RRset */
if(!msg)
return NULL;
(rrset=find_closest_of_type(env, qname, qnamelen, qclass, now,
LDNS_RR_TYPE_DNAME, 1))) {
/* synthesize a DNAME+CNAME message based on this */
- struct dns_msg* msg = synth_dname_msg(rrset, region, now, &k);
+ struct dns_msg* msg = synth_dname_msg(rrset, region, now, &k,
+ env);
if(msg) {
lock_rw_unlock(&rrset->entry.lock);
return msg;
projects / thirdparty / unbound.git / commitdiff
