[ipfire-2.x.git] / src / patches / dnsmasq / 014-Handle_unknown_DS_hash_algos_correctly.patch

From 67ab3285b5d9a1b1e20e034cf272867fdab8a0f9 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Fri, 20 Nov 2015 23:20:47 +0000
Subject: [PATCH] Handle unknown DS hash algos correctly.

When we can validate a DS RRset, but don't speak the hash algo it
contains, treat that the same as an NSEC/3 proving that the DS
doesn't exist. 4025 5.2
---
 src/dnssec.c |   13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/dnssec.c b/src/dnssec.c
index 67ce486..b4dc14e 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -1005,6 +1005,19 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
   if (crecp->flags & F_NEG)
     return STAT_INSECURE_DS;
   
+  /* 4035 5.2 
+     If the validator does not support any of the algorithms listed in an
+     authenticated DS RRset, then the resolver has no supported
+     authentication path leading from the parent to the child.  The
+     resolver should treat this case as it would the case of an
+     authenticated NSEC RRset proving that no DS RRset exists,  */
+  for (recp1 = crecp; recp1; recp1 = cache_find_by_name(recp1, name, now, F_DS))
+    if (hash_find(ds_digest_name(recp1->addr.ds.digest)))
+      break;
+  
+  if (!recp1)
+    return STAT_INSECURE_DS;
+
   /* NOTE, we need to find ONE DNSKEY which matches the DS */
   for (valid = 0, j = ntohs(header->ancount); j != 0 && !valid; j--) 
     {
-- 
1.7.10.4
Commit	Line	Data
40e1bbda MF	1	From 67ab3285b5d9a1b1e20e034cf272867fdab8a0f9 Mon Sep 17 00:00:00 2001
	2	From: Simon Kelley <simon@thekelleys.org.uk>
	3	Date: Fri, 20 Nov 2015 23:20:47 +0000
	4	Subject: [PATCH] Handle unknown DS hash algos correctly.
	5
	6	When we can validate a DS RRset, but don't speak the hash algo it
	7	contains, treat that the same as an NSEC/3 proving that the DS
	8	doesn't exist. 4025 5.2
	9	---
	10	src/dnssec.c \| 13 +++++++++++++
	11	1 file changed, 13 insertions(+)
	12
	13	diff --git a/src/dnssec.c b/src/dnssec.c
	14	index 67ce486..b4dc14e 100644
	15	--- a/src/dnssec.c
	16	+++ b/src/dnssec.c
	17	@@ -1005,6 +1005,19 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
	18	if (crecp->flags & F_NEG)
	19	return STAT_INSECURE_DS;
	20
	21	+ /* 4035 5.2
	22	+ If the validator does not support any of the algorithms listed in an
	23	+ authenticated DS RRset, then the resolver has no supported
	24	+ authentication path leading from the parent to the child. The
	25	+ resolver should treat this case as it would the case of an
	26	+ authenticated NSEC RRset proving that no DS RRset exists, */
	27	+ for (recp1 = crecp; recp1; recp1 = cache_find_by_name(recp1, name, now, F_DS))
	28	+ if (hash_find(ds_digest_name(recp1->addr.ds.digest)))
	29	+ break;
	30	+
	31	+ if (!recp1)
	32	+ return STAT_INSECURE_DS;
	33	+
	34	/* NOTE, we need to find ONE DNSKEY which matches the DS */
	35	for (valid = 0, j = ntohs(header->ancount); j != 0 && !valid; j--)
	36	{
	37	--
	38	1.7.10.4
	39