[ipfire-2.x.git] / src / patches / dnsmasq / 0030-Don-t-answer-from-cache-RRsets-from-wildcards-as-we-.patch

From 5e321739db381a1d7b5964d76e9c81471d2564c9 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Mon, 12 Jan 2015 23:16:56 +0000
Subject: [PATCH 30/98] Don't answer from cache RRsets from wildcards, as we
 don't have NSECs.

---
 src/dnssec.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/dnssec.c b/src/dnssec.c
index afb3dca38cb1..d39ab85ed966 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -1818,11 +1818,14 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
 	      struct blockdata *key;
 	      struct crec *crecp;
 	      char *wildname;
+	      int have_wildcard = 0;
 
 	      rc = validate_rrset(now, header, plen, class1, type1, name, keyname, &wildname, NULL, 0, 0, 0);
 	      
 	      if (rc == STAT_SECURE_WILDCARD)
 		{
+		  have_wildcard = 1;
+
 		  /* An attacker replay a wildcard answer with a different
 		     answer and overlay a genuine RR. To prove this
 		     hasn't happened, the answer must prove that
@@ -1913,7 +1916,11 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
 			      p2 += 13; /* labels, orig_ttl, expiration, inception */
 			      GETSHORT(keytag, p2);
 			      
-			      if ((key = blockdata_alloc((char*)psave, rdlen2)))
+			      /* We don't cache sigs for wildcard answers, because to reproduce the
+				 answer from the cache will require one or more NSEC/NSEC3 records 
+				 which we don't cache. The lack of the RRSIG ensures that a query for
+				 this RRset asking for a secure answer will always be forwarded. */
+			      if (!have_wildcard && (key = blockdata_alloc((char*)psave, rdlen2)))
 				{
 				  if (!(crecp = cache_insert(name, &a, now, ttl,  F_FORWARD | F_DNSKEY | F_DS)))
 				    blockdata_free(key);
-- 
2.1.0
Commit	Line	Data
6644c1c7 MT	1	From 5e321739db381a1d7b5964d76e9c81471d2564c9 Mon Sep 17 00:00:00 2001
	2	From: Simon Kelley <simon@thekelleys.org.uk>
	3	Date: Mon, 12 Jan 2015 23:16:56 +0000
888c41de	4	Subject: [PATCH 30/98] Don't answer from cache RRsets from wildcards, as we
6644c1c7 MT	5	don't have NSECs.
	6
	7	---
	8	src/dnssec.c \| 9 ++++++++-
	9	1 file changed, 8 insertions(+), 1 deletion(-)
	10
	11	diff --git a/src/dnssec.c b/src/dnssec.c
	12	index afb3dca38cb1..d39ab85ed966 100644
	13	--- a/src/dnssec.c
	14	+++ b/src/dnssec.c
	15	@@ -1818,11 +1818,14 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
	16	struct blockdata *key;
	17	struct crec *crecp;
	18	char *wildname;
	19	+ int have_wildcard = 0;
	20
	21	rc = validate_rrset(now, header, plen, class1, type1, name, keyname, &wildname, NULL, 0, 0, 0);
	22
	23	if (rc == STAT_SECURE_WILDCARD)
	24	{
	25	+ have_wildcard = 1;
	26	+
	27	/* An attacker replay a wildcard answer with a different
	28	answer and overlay a genuine RR. To prove this
	29	hasn't happened, the answer must prove that
	30	@@ -1913,7 +1916,11 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
	31	p2 += 13; /* labels, orig_ttl, expiration, inception */
	32	GETSHORT(keytag, p2);
	33
	34	- if ((key = blockdata_alloc((char*)psave, rdlen2)))
	35	+ /* We don't cache sigs for wildcard answers, because to reproduce the
	36	+ answer from the cache will require one or more NSEC/NSEC3 records
	37	+ which we don't cache. The lack of the RRSIG ensures that a query for
	38	+ this RRset asking for a secure answer will always be forwarded. */
	39	+ if (!have_wildcard && (key = blockdata_alloc((char*)psave, rdlen2)))
	40	{
	41	if (!(crecp = cache_insert(name, &a, now, ttl, F_FORWARD \| F_DNSKEY \| F_DS)))
	42	blockdata_free(key);
	43	--
	44	2.1.0
	45