git.ipfire.org Git - thirdparty/bind9.git/commit

author	Aram Sargsyan <aram@isc.org>
	Tue, 21 Jan 2025 13:20:12 +0000 (13:20 +0000)
committer	Arаm Sаrgsyаn <aram@isc.org>
	Thu, 20 Feb 2025 13:35:14 +0000 (13:35 +0000)
commit	716b9360452bcebd89d48faa895375fa3360b9ed
tree	3dd40bdf74c65fa30124154e0583f7319bc1f80c	tree \| snapshot
parent	742d379d88a5f7cb185f8f620c9a99965a0b31b4	commit \| diff

Implement sig0key-checks-limit and sig0message-checks-limit

Previously a hard-coded limitation of maximum two key or message
verification checks were introduced when checking the message's
SIG(0) signature. It was done in order to protect against possible
DoS attacks. The logic behind choosing the number two was that more
than one key should only be required only during key rotations, and
in that case two keys are enough. But later it became apparent that
there are other use cases too where even more keys are required, see
issue number #5050 in GitLab.

This change introduces two new configuration options for the views,
sig0key-checks-limit and sig0message-checks-limit, which define how
many keys are allowed to be checked to find a matching key, and how
many message verifications are allowed to take place once a matching
key has been found. The latter protects against expensive cryptographic
operations when there are keys with colliding tags and algorithm
numbers, with default being 2, and the former protects against a bit
less expensive key parsing operations and defaults to 16.

bin/named/config.c		diff \| blob \| blame \| history
bin/named/server.c		diff \| blob \| blame \| history
bin/tests/system/upforwd/setup.sh		diff \| blob \| blame \| history
bin/tests/system/upforwd/tests.sh		diff \| blob \| blame \| history
doc/misc/options		diff \| blob \| blame \| history
lib/dns/include/dns/view.h		diff \| blob \| blame \| history
lib/dns/message.c		diff \| blob \| blame \| history
lib/isccfg/namedconf.c		diff \| blob \| blame \| history