From: Wouter Wijngaards Date: Tue, 20 Nov 2018 09:44:40 +0000 (+0000) Subject: - Scrub NS records from NXDOMAIN responses to stop fragmentation X-Git-Tag: release-1.8.2rc1~31 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f7e99131b9ae56228533dea0fb545ed19a4f302c;p=thirdparty%2Funbound.git - Scrub NS records from NXDOMAIN responses to stop fragmentation poisoning of the cache. git-svn-id: file:///svn/unbound/trunk@4961 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/doc/Changelog b/doc/Changelog index 38ca195cd..2048dfa9b 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +20 November 2018: Wouter + - Scrub NS records from NXDOMAIN responses to stop fragmentation + poisoning of the cache. + 19 November 2018: Wouter - Support SO_REUSEPORT_LB in FreeBSD 12 with the so-reuseport: yes option in unbound.conf. diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c index b354eaa28..a1cd0f441 100644 --- a/iterator/iter_scrub.c +++ b/iterator/iter_scrub.c @@ -497,6 +497,16 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg, "RRset:", pkt, msg, prev, &rrset); continue; } + /* we don't want NS sets for NXDOMAIN answers, + * because they could contain poisonous contents, + * from. eg. fragmentation attacks, inserted after + * long RRSIGs in the packet get to the packet + * border and such */ + if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NXDOMAIN) { + remove_rrset("normalize: removing irrelevant " + "RRset:", pkt, msg, prev, &rrset); + continue; + } if(nsset == NULL) { nsset = rrset; } else { diff --git a/testdata/iter_domain_sale.rpl b/testdata/iter_domain_sale.rpl index be05e2f43..6110148a3 100644 --- a/testdata/iter_domain_sale.rpl +++ b/testdata/iter_domain_sale.rpl @@ -241,9 +241,9 @@ SECTION ANSWER SECTION AUTHORITY ; at TTL 5 because TTL is capped at min-ttl of 5 in rdata of SOA example.com. 5 IN SOA a. b. 1 2 3 4 5 -example.com. 1800 IN NS ns.example.com. +;example.com. 1800 IN NS ns.example.com. SECTION ADDITIONAL -ns.example.com. 1800 IN A 1.2.3.4 +;ns.example.com. 1800 IN A 1.2.3.4 ENTRY_END ; after another 1900 seconds the domain must have timed out. diff --git a/testdata/iter_domain_sale_nschange.rpl b/testdata/iter_domain_sale_nschange.rpl index 5af54efb9..5664855d5 100644 --- a/testdata/iter_domain_sale_nschange.rpl +++ b/testdata/iter_domain_sale_nschange.rpl @@ -288,9 +288,9 @@ SECTION ANSWER SECTION AUTHORITY ; at TTL 5 because TTL capped at ttl of minttl in rdata of SOA. example.com. 5 IN SOA a. b. 1 2 3 4 5 -example.com. 3600 IN NS nsb.example.com. +;example.com. 3600 IN NS nsb.example.com. SECTION ADDITIONAL -nsb.example.com. 3600 IN A 1.2.3.4 +;nsb.example.com. 3600 IN A 1.2.3.4 ENTRY_END STEP 62 QUERY @@ -310,9 +310,9 @@ SECTION ANSWER SECTION AUTHORITY ; at TTL 5 because TTL capped at ttl of minttl in rdata of SOA. example.com. 5 IN SOA a. b. 1 2 3 4 5 -example.com. 1800 IN NS nsb.example.com. +;example.com. 1800 IN NS nsb.example.com. SECTION ADDITIONAL -nsb.example.com. 3600 IN A 1.2.3.4 +;nsb.example.com. 3600 IN A 1.2.3.4 ENTRY_END ; after another 1900 seconds the domain must have timed out.