2 September 2008: Wouter
- DoS protection features. Queries are jostled out to make room.
- testbound can pass time, increasing the internal timer.
+ - do not mark unsigned additionals bogus, leave unchecked, which
+ is removed too.
1 September 2008: Wouter
- disallow nonrecursive queries for cache snooping by default.
+ DoS vector, flush more.
50% of max is for run-to-completion
50% rest is for lifo queue with 100-200 msec timeout.
-* records in the additional section should not be marked bogus
-if they have no signer or a different signed. Validate if you can,
-otherwise leave unchecked.
++ records in the additional section should not be marked bogus
+ if they have no signer or a different signed. Validate if you can,
+ otherwise leave unchecked.
* block DNS rebinding attacks, block all A records from 1918 IP blocks,
like dnswall does. Allow certain subdomains to do it, config options.
one option that controls on/off of all private space.
*sname = data;
}
-/**
- * Find the signer name for an RRset.
- * @param rrset: the rrset.
- * @param sname: signer name is returned or NULL if not signed.
- * @param slen: length of sname (or 0).
- */
-static void
+void
val_find_rrset_signer(struct ub_packed_rrset_key* rrset, uint8_t** sname,
size_t* slen)
{
*/
size_t val_next_unchecked(struct reply_info* rep, size_t skip);
+/**
+ * Find the signer name for an RRset.
+ * @param rrset: the rrset.
+ * @param sname: signer name is returned or NULL if not signed.
+ * @param slen: length of sname (or 0).
+ */
+void val_find_rrset_signer(struct ub_packed_rrset_key* rrset, uint8_t** sname,
+ size_t* slen);
+
/**
* Get string to denote the classification result.
* @param subtype: from classification function.
struct query_info* qchase, struct reply_info* chase_reply,
struct key_entry_key* key_entry)
{
- size_t i;
+ uint8_t* sname;
+ size_t i, slen;
struct ub_packed_rrset_key* s;
enum sec_status sec;
int dname_seen = 0;
for(i=chase_reply->an_numrrsets+chase_reply->ns_numrrsets;
i<chase_reply->rrset_count; i++) {
s = chase_reply->rrsets[i];
- (void)val_verify_rrset_entry(env, ve, s, key_entry);
+ /* only validate rrs that have signatures with the key */
+ /* leave others unchecked, those get removed later on too */
+ val_find_rrset_signer(s, &sname, &slen);
+ if(sname && query_dname_compare(sname, key_entry->name)==0)
+ (void)val_verify_rrset_entry(env, ve, s, key_entry);
/* the additional section can fail to be secure,
* it is optional, check signature in case we need
* to clean the additional section later. */
projects / thirdparty / unbound.git / commitdiff
