From: Kees Monshouwer Date: Sun, 20 Jul 2014 11:15:53 +0000 (+0200) Subject: limit the number of NSEC3 iterations RFC5155 10.3 X-Git-Tag: auth-3.4.0-rc1~26^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F1623%2Fhead;p=thirdparty%2Fpdns.git limit the number of NSEC3 iterations RFC5155 10.3 --- diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc index ce7184e961..cff84a2fb5 100644 --- a/pdns/common_startup.cc +++ b/pdns/common_startup.cc @@ -159,6 +159,7 @@ void declareArguments() ::arg().set("default-ksk-size","Default KSK size (0 means default)")="0"; ::arg().set("default-zsk-algorithms","Default ZSK algorithms")="rsasha256"; ::arg().set("default-zsk-size","Default ZSK size (0 means default)")="0"; + ::arg().set("max-nsec3-iterations","Limit the number of NSEC3 hash iterations")="500"; // RFC5155 10.3 ::arg().set("include-dir","Include *.conf files from this directory"); } diff --git a/pdns/dbdnsseckeeper.cc b/pdns/dbdnsseckeeper.cc index 1c7c7242f4..da7b37f56d 100644 --- a/pdns/dbdnsseckeeper.cc +++ b/pdns/dbdnsseckeeper.cc @@ -233,11 +233,16 @@ bool DNSSECKeeper::getNSEC3PARAM(const std::string& zname, NSEC3PARAMRecordConte if(value.empty()) { // "no NSEC3" return false; } - + + static int maxNSEC3Iterations=::arg().asNum("max-nsec3-iterations"); if(ns3p) { NSEC3PARAMRecordContent* tmp=dynamic_cast(DNSRecordContent::mastermake(QType::NSEC3PARAM, 1, value)); *ns3p = *tmp; delete tmp; + if (ns3p->d_iterations > maxNSEC3Iterations) { + ns3p->d_iterations = maxNSEC3Iterations; + L< maxNSEC3Iterations) + throw runtime_error("Can't set NSEC3PARAM for zone '"+zname+"': number of NSEC3 iterations is above 'max-nsec3-iterations'"); + clearCaches(zname); string descr = ns3p.getZoneRepresentation(); vector meta; diff --git a/pdns/pdns.conf-dist b/pdns/pdns.conf-dist index f74fc73ecf..fc767ac65c 100644 --- a/pdns/pdns.conf-dist +++ b/pdns/pdns.conf-dist @@ -264,6 +264,11 @@ # # max-ent-entries=100000 +################################# +# max-nsec3-iterations Limit the number of NSEC3 hash iterations +# +# max-nsec3-iterations=500 + ################################# # max-queue-length Maximum queuelength before considering situation lost # diff --git a/pdns/pdnssec.cc b/pdns/pdnssec.cc index 9379461d7f..06687b7946 100644 --- a/pdns/pdnssec.cc +++ b/pdns/pdnssec.cc @@ -137,6 +137,7 @@ void loadMainConfig(const std::string& configdir) ::arg().set("entropy-source", "If set, read entropy from this file")="/dev/urandom"; ::arg().setSwitch("direct-dnskey","Fetch DNSKEY RRs from backend during DNSKEY synthesis")="no"; + ::arg().set("max-nsec3-iterations","Limit the number of NSEC3 hash iterations")="500"; // RFC5155 10.3 ::arg().laxFile(configname.c_str()); BackendMakers().launch(::arg()["launch"]); // vrooooom! diff --git a/pdns/rfc2136handler.cc b/pdns/rfc2136handler.cc index 408b16ad18..d4dadf778b 100644 --- a/pdns/rfc2136handler.cc +++ b/pdns/rfc2136handler.cc @@ -921,6 +921,11 @@ int PacketHandler::processUpdate(DNSPacket *p) { di.backend->abortTransaction(); return RCode::ServFail; } + catch(std::exception &e) { + L<abortTransaction(); + return RCode::ServFail; + } catch (...) { L<abortTransaction();