src/patches/dnsmasq/014-Handle_unknown_DS_hash_algos_correctly.patch

   1 From 67ab3285b5d9a1b1e20e034cf272867fdab8a0f9 Mon Sep 17 00:00:00 2001
   2 From: Simon Kelley <simon@thekelleys.org.uk>
   3 Date: Fri, 20 Nov 2015 23:20:47 +0000
   4 Subject: [PATCH] Handle unknown DS hash algos correctly.
   5
   6 When we can validate a DS RRset, but don't speak the hash algo it
   7 contains, treat that the same as an NSEC/3 proving that the DS
   8 doesn't exist. 4025 5.2
   9 ---
  10  src/dnssec.c |   13 +++++++++++++
  11  1 file changed, 13 insertions(+)
  12
  13 diff --git a/src/dnssec.c b/src/dnssec.c
  14 index 67ce486..b4dc14e 100644
  15 --- a/src/dnssec.c
  16 +++ b/src/dnssec.c
  17 @@ -1005,6 +1005,19 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
  18    if (crecp->flags & F_NEG)
  19      return STAT_INSECURE_DS;
  20
  21 +  /* 4035 5.2
  22 +     If the validator does not support any of the algorithms listed in an
  23 +     authenticated DS RRset, then the resolver has no supported
  24 +     authentication path leading from the parent to the child.  The
  25 +     resolver should treat this case as it would the case of an
  26 +     authenticated NSEC RRset proving that no DS RRset exists,  */
  27 +  for (recp1 = crecp; recp1; recp1 = cache_find_by_name(recp1, name, now, F_DS))
  28 +    if (hash_find(ds_digest_name(recp1->addr.ds.digest)))
  29 +      break;
  30 +
  31 +  if (!recp1)
  32 +    return STAT_INSECURE_DS;
  33 +
  34    /* NOTE, we need to find ONE DNSKEY which matches the DS */
  35    for (valid = 0, j = ntohs(header->ancount); j != 0 && !valid; j--)
  36      {
  37 --
  38 1.7.10.4
  39