- Scrub NS records from NXDOMAIN responses to stop fragmentation

  poisoning of the cache.

git-svn-id: file:///svn/unbound/trunk@4961 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/doc/Changelog b/doc/Changelog
index 38ca195cd5b768b93802f14e3a1114d13886db1e..2048dfa9b253f4e992d85a36fdd3ecb555dc048f 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+20 November 2018: Wouter
+       - Scrub NS records from NXDOMAIN responses to stop fragmentation
+         poisoning of the cache.
+
 19 November 2018: Wouter
        - Support SO_REUSEPORT_LB in FreeBSD 12 with the so-reuseport: yes
          option in unbound.conf.

diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c
index b354eaa285b032dd78e6448e923ce268037a5785..a1cd0f441495fb24c63e6f14c896f77fee606630 100644 (file)
--- a/iterator/iter_scrub.c
+++ b/iterator/iter_scrub.c
@@ -497,6 +497,16 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
                                        "RRset:", pkt, msg, prev, &rrset);
                                continue;
                        }
+                       /* we don't want NS sets for NXDOMAIN answers,
+                        * because they could contain poisonous contents,
+                        * from. eg. fragmentation attacks, inserted after
+                        * long RRSIGs in the packet get to the packet
+                        * border and such */
+                       if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NXDOMAIN) {
+                               remove_rrset("normalize: removing irrelevant "
+                                       "RRset:", pkt, msg, prev, &rrset);
+                               continue;
+                       }
                        if(nsset == NULL) {
                                nsset = rrset;
                        } else {

diff --git a/testdata/iter_domain_sale.rpl b/testdata/iter_domain_sale.rpl
index be05e2f4363dc300b16535391bce5caf9938353f..6110148a3c8281ee0525f38e09d8c1b5f96c9b72 100644 (file)
--- a/testdata/iter_domain_sale.rpl
+++ b/testdata/iter_domain_sale.rpl
@@ -241,9 +241,9 @@ SECTION ANSWER
 SECTION AUTHORITY
 ; at TTL 5 because TTL is capped at min-ttl of 5 in rdata of SOA
 example.com.   5 IN SOA        a. b. 1 2 3 4 5
-example.com.   1800 IN NS      ns.example.com.
+;example.com.  1800 IN NS      ns.example.com.
 SECTION ADDITIONAL
-ns.example.com.        1800    IN      A       1.2.3.4
+;ns.example.com.       1800    IN      A       1.2.3.4
 ENTRY_END
 
 ; after another 1900 seconds the domain must have timed out.

diff --git a/testdata/iter_domain_sale_nschange.rpl b/testdata/iter_domain_sale_nschange.rpl
index 5af54efb9855df42fc4581e2e3444d9628cfd53b..5664855d50b88bb88a902f092496b1d58ced58ef 100644 (file)
--- a/testdata/iter_domain_sale_nschange.rpl
+++ b/testdata/iter_domain_sale_nschange.rpl
@@ -288,9 +288,9 @@ SECTION ANSWER
 SECTION AUTHORITY
 ; at TTL 5 because TTL capped at ttl of minttl in rdata of SOA.
 example.com.   5 IN SOA        a. b. 1 2 3 4 5
-example.com.   3600 IN NS      nsb.example.com.
+;example.com.  3600 IN NS      nsb.example.com.
 SECTION ADDITIONAL
-nsb.example.com.       3600    IN      A       1.2.3.4
+;nsb.example.com.      3600    IN      A       1.2.3.4
 ENTRY_END
 
 STEP 62 QUERY 
@@ -310,9 +310,9 @@ SECTION ANSWER
 SECTION AUTHORITY
 ; at TTL 5 because TTL capped at ttl of minttl in rdata of SOA.
 example.com.   5 IN SOA        a. b. 1 2 3 4 5
-example.com.   1800 IN NS      nsb.example.com.
+;example.com.  1800 IN NS      nsb.example.com.
 SECTION ADDITIONAL
-nsb.example.com.       3600    IN      A       1.2.3.4
+;nsb.example.com.      3600    IN      A       1.2.3.4
 ENTRY_END
 
 ; after another 1900 seconds the domain must have timed out.