1 From e3ec6f0bd7323b043faa9dffa20f0c9151fae1e3 Mon Sep 17 00:00:00 2001
2 From: Simon Kelley <simon@thekelleys.org.uk>
3 Date: Fri, 12 Jun 2015 21:39:11 +0100
4 Subject: [PATCH 113/113] Handle CNAMEs to DS records when confirming absence
8 src/dnssec.c | 40 ++++++++++++++++++++++++++++++++++------
9 src/forward.c | 38 ++++++++++++++++++++++++++++++++++----
10 2 files changed, 68 insertions(+), 10 deletions(-)
12 diff --git a/src/dnssec.c b/src/dnssec.c
13 index 93217b05a846..52d14548b8e2 100644
16 @@ -1223,8 +1223,11 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
17 val = dnssec_validate_reply(now, header, plen, name, keyname, NULL, &neganswer, &nons);
18 /* Note dnssec_validate_reply() will have cached positive answers */
20 - if (val == STAT_NO_SIG || val == STAT_INSECURE)
21 + if (val == STAT_INSECURE)
24 + if (val == STAT_NO_SIG)
27 p = (unsigned char *)(header+1);
28 extract_name(header, plen, &p, name, 1, 4);
29 @@ -1875,11 +1878,14 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
31 if (neganswer && !have_answer)
35 /* No data, therefore no sigs */
36 if (ntohs(header->ancount) + ntohs(header->nscount) == 0)
44 for (p1 = ans_start, i = 0; i < ntohs(header->ancount) + ntohs(header->nscount); i++)
46 if (!extract_name(header, plen, &p1, name, 1, 10))
47 @@ -1948,6 +1954,19 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
50 *class = class1; /* Class for DS or DNSKEY */
52 + if (rc == STAT_NO_SIG)
54 + /* If we dropped off the end of a CNAME chain, return
55 + STAT_NO_SIG and the last name is keyname. This is used for proving non-existence
56 + if DS records in CNAME chains. */
57 + if (cname_count == CNAME_CHAIN || i < ntohs(header->ancount))
58 + /* No CNAME chain, or no sig in answer section, return empty name. */
60 + else if (!extract_name(header, plen, &qname, keyname, 1, 0))
67 @@ -2060,8 +2079,17 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
68 /* NXDOMAIN or NODATA reply, prove that (name, class1, type1) can't exist */
69 /* First marshall the NSEC records, if we've not done it previously */
70 if (!nsec_type && !(nsec_type = find_nsec_records(header, plen, &nsecs, &nsec_count, qclass)))
71 - return STAT_NO_SIG; /* No NSECs, this is probably a dangling CNAME pointing into
72 - an unsigned zone. Return STAT_NO_SIG to cause this to be proved. */
74 + /* No NSEC records. If we dropped off the end of a CNAME chain, return
75 + STAT_NO_SIG and the last name is keyname. This is used for proving non-existence
76 + if DS records in CNAME chains. */
77 + if (cname_count == CNAME_CHAIN) /* No CNAME chain, return empty name. */
79 + else if (!extract_name(header, plen, &qname, keyname, 1, 0))
81 + return STAT_NO_SIG; /* No NSECs, this is probably a dangling CNAME pointing into
82 + an unsigned zone. Return STAT_NO_SIG to cause this to be proved. */
85 /* Get name of missing answer */
86 if (!extract_name(header, plen, &qname, name, 1, 0))
87 diff --git a/src/forward.c b/src/forward.c
88 index 8c3e71cebe87..b40dda37eca2 100644
91 @@ -851,7 +851,7 @@ void reply_query(int fd, int family, time_t now)
92 Avoid caching a reply with sigs if there's a vaildated break in the
93 DS chain, so we don't return replies from cache missing sigs. */
94 status = STAT_INSECURE_DS;
95 - else if (status == STAT_NO_NS)
96 + else if (status == STAT_NO_NS || status == STAT_NO_SIG)
99 else if (forward->flags & FREC_CHECK_NOSIGN)
100 @@ -997,7 +997,7 @@ void reply_query(int fd, int family, time_t now)
101 Avoid caching a reply with sigs if there's a vaildated break in the
102 DS chain, so we don't return replies from cache missing sigs. */
103 status = STAT_INSECURE_DS;
104 - else if (status == STAT_NO_NS)
105 + else if (status == STAT_NO_NS || status == STAT_NO_SIG)
108 else if (forward->flags & FREC_CHECK_NOSIGN)
109 @@ -1456,6 +1456,21 @@ static int do_check_sign(struct frec *forward, int status, time_t now, char *nam
110 if (status == STAT_BOGUS)
113 + if (status == STAT_NO_SIG && *keyname != 0)
115 + /* There is a validated CNAME chain that doesn't end in a DS record. Start
116 + the search again in that domain. */
117 + blockdata_free(forward->orig_domain);
118 + forward->name_start = strlen(keyname);
119 + forward->name_len = forward->name_start + 1;
120 + if (!(forward->orig_domain = blockdata_alloc(keyname, forward->name_len)))
123 + strcpy(name, keyname);
124 + status = 0; /* force to cache when we iterate. */
128 /* There's a proven DS record, or we're within a zone, where there doesn't need
129 to be a DS record. Add a name and try again.
130 If we've already tried the whole name, then fail */
131 @@ -1572,6 +1587,21 @@ static int tcp_check_for_unsigned_zone(time_t now, struct dns_header *header, s
132 return STAT_INSECURE;
135 + if (status == STAT_NO_SIG && *keyname != 0)
137 + /* There is a validated CNAME chain that doesn't end in a DS record. Start
138 + the search again in that domain. */
139 + blockdata_free(block);
140 + name_len = strlen(keyname) + 1;
141 + name_start = name + name_len - 1;
143 + if (!(block = blockdata_alloc(keyname, name_len)))
146 + strcpy(name, keyname);
150 if (status == STAT_BOGUS)
153 @@ -1627,7 +1657,7 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
155 if (new_status == STAT_NO_DS)
156 new_status = STAT_INSECURE_DS;
157 - else if (new_status == STAT_NO_NS)
158 + else if (new_status == STAT_NO_NS || new_status == STAT_NO_SIG)
159 new_status = STAT_BOGUS;
162 @@ -1692,7 +1722,7 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
164 if (new_status == STAT_NO_DS)
165 new_status = STAT_INSECURE_DS;
166 - else if (new_status == STAT_NO_NS)
167 + else if (new_status == STAT_NO_NS || new_status == STAT_NO_SIG)
168 new_status = STAT_BOGUS; /* Validated no DS */