]>
Commit | Line | Data |
---|---|---|
40e1bbda MF |
1 | From 67ab3285b5d9a1b1e20e034cf272867fdab8a0f9 Mon Sep 17 00:00:00 2001 |
2 | From: Simon Kelley <simon@thekelleys.org.uk> | |
3 | Date: Fri, 20 Nov 2015 23:20:47 +0000 | |
4 | Subject: [PATCH] Handle unknown DS hash algos correctly. | |
5 | ||
6 | When we can validate a DS RRset, but don't speak the hash algo it | |
7 | contains, treat that the same as an NSEC/3 proving that the DS | |
8 | doesn't exist. 4025 5.2 | |
9 | --- | |
10 | src/dnssec.c | 13 +++++++++++++ | |
11 | 1 file changed, 13 insertions(+) | |
12 | ||
13 | diff --git a/src/dnssec.c b/src/dnssec.c | |
14 | index 67ce486..b4dc14e 100644 | |
15 | --- a/src/dnssec.c | |
16 | +++ b/src/dnssec.c | |
17 | @@ -1005,6 +1005,19 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch | |
18 | if (crecp->flags & F_NEG) | |
19 | return STAT_INSECURE_DS; | |
20 | ||
21 | + /* 4035 5.2 | |
22 | + If the validator does not support any of the algorithms listed in an | |
23 | + authenticated DS RRset, then the resolver has no supported | |
24 | + authentication path leading from the parent to the child. The | |
25 | + resolver should treat this case as it would the case of an | |
26 | + authenticated NSEC RRset proving that no DS RRset exists, */ | |
27 | + for (recp1 = crecp; recp1; recp1 = cache_find_by_name(recp1, name, now, F_DS)) | |
28 | + if (hash_find(ds_digest_name(recp1->addr.ds.digest))) | |
29 | + break; | |
30 | + | |
31 | + if (!recp1) | |
32 | + return STAT_INSECURE_DS; | |
33 | + | |
34 | /* NOTE, we need to find ONE DNSKEY which matches the DS */ | |
35 | for (valid = 0, j = ntohs(header->ancount); j != 0 && !valid; j--) | |
36 | { | |
37 | -- | |
38 | 1.7.10.4 | |
39 |