A little more strict DS scrubbing.

git-svn-id: file:///svn/unbound/trunk@1986 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/doc/Changelog b/doc/Changelog
index 5e6632055261e396374a70fcc6fa3f83346a9cd1..bb11365f19024e4d1ddf349ee483cae5b12a0cb0 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+18 February 2010: Wouter
+       - A little more strict DS scrubbing.
+
 17 February 2010: Wouter
        - Disregard DNSKEY from authority section for chain of trust.
          DS records that are irrelevant to a referral scrubbed.  Anti-poison.

diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
index 2416f3abbb38040ca306f615e9ec352f9a6e3485..396814edf67fc34c2bdf167b994cd52afbd9ca65 100644 (file)
--- a/iterator/iter_utils.c
+++ b/iterator/iter_utils.c
@@ -757,20 +757,22 @@ iter_get_next_root(struct iter_hints* hints, struct iter_forwards* fwd,
 }
 
 void
-iter_scrub_ds(struct ub_packed_rrset_key* ns, struct dns_msg* msg)
+iter_scrub_ds(struct dns_msg* msg, struct ub_packed_rrset_key* ns, uint8_t* z)
 {
        /* Only the DS record for the delegation itself is expected.
         * We allow DS for everything between the bailiwick and the 
         * zonecut, thus DS records must be at or above the zonecut.
+        * And the DS records must be below the server authority zone.
         * The answer section is already scrubbed. */
        size_t i = msg->rep->an_numrrsets;
        while(i < (msg->rep->an_numrrsets + msg->rep->ns_numrrsets)) {
                struct ub_packed_rrset_key* s = msg->rep->rrsets[i];
                if(ntohs(s->rk.type) == LDNS_RR_TYPE_DS &&
-                       !dname_subdomain_c(ns->rk.dname, s->rk.dname)) {
-                       log_nametypeclass(VERB_ALGO, "removing irrelevant DS "
-                               "from referral", s->rk.dname, 
-                               ntohs(s->rk.type), ntohs(s->rk.rrset_class));
+                       (!ns || !dname_subdomain_c(ns->rk.dname, s->rk.dname)
+                       || query_dname_compare(z, s->rk.dname) == 0)) {
+                       log_nametypeclass(VERB_ALGO, "removing irrelevant DS",
+                               s->rk.dname, ntohs(s->rk.type),
+                               ntohs(s->rk.rrset_class));
                        memmove(msg->rep->rrsets+i, msg->rep->rrsets+i+1,
                                sizeof(struct ub_packed_rrset_key*) * 
                                (msg->rep->rrset_count-i-1));

diff --git a/iterator/iter_utils.h b/iterator/iter_utils.h
index 85d9c1a216c257a1a175bf31c3812154e50b1e4c..2a1a724c2797dadd51006d12af0179434664a2a3 100644 (file)
--- a/iterator/iter_utils.h
+++ b/iterator/iter_utils.h
@@ -248,9 +248,12 @@ int iter_get_next_root(struct iter_hints* hints, struct iter_forwards* fwd,
 
 /**
  * Remove DS records that are inappropriate before they are cached.
- * @param ns: RRSET that is the NS record for the referral.
  * @param msg: the response to scrub.
+ * @param ns: RRSET that is the NS record for the referral.
+ *     if NULL, then all DS records are removed from the authority section.
+ * @param z: zone name that the response is from.
  */
-void iter_scrub_ds(struct ub_packed_rrset_key* ns, struct dns_msg* msg);
+void iter_scrub_ds(struct dns_msg* msg, struct ub_packed_rrset_key* ns,
+       uint8_t* z);
 
 #endif /* ITERATOR_ITER_UTILS_H */

diff --git a/iterator/iterator.c b/iterator/iterator.c
index cc66c489593bdb8d962aae209e53e3706e62b26b..4a82d64377f8f93b969a464d94f034680a04665b 100644 (file)
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -1613,8 +1613,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
                        verbose(VERB_ALGO, "bad referral, throwaway");
                        type = RESPONSE_TYPE_THROWAWAY;
                } else
-                       iter_scrub_ds(ns, iq->response);
-       }
+                       iter_scrub_ds(iq->response, ns, iq->dp->name);
+       } else iter_scrub_ds(iq->response, NULL, NULL);
 
        /* handle each of the type cases */
        if(type == RESPONSE_TYPE_ANSWER) {