]> git.ipfire.org Git - thirdparty/knot-resolver.git/commitdiff
projects / thirdparty / knot-resolver.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 99b8f03)
validator: avoid using RRSIG from a different packet
authorVladimír Čunát <vladimir.cunat@nic.cz>
Tue, 6 Oct 2020 07:15:43 +0000 (09:15 +0200)
committerPetr Špaček <petr.spacek@nic.cz>
Wed, 7 Oct 2020 15:02:43 +0000 (17:02 +0200)
Restrict tried RRSIGs by qry_uid equality.
I see no use case against and it could be confusing.
(Also rewrite the conditions around to positive form.)

An assertion in cache noticed an NSEC with _SECURE rank but no RRSIG
(in practice).  It was a side-effect of still not keeping RRSIGs with
their RRs in some places.  It wasn't a security problem, as it doesn't
really matter where the signatures came from.  Theoretically it
might've lead to incorrect caching (missing usable RRSIGs), as cache
was restricting qry_uid to match, but that hasn't been noticed
in practice.

NEWS patch | blob | blame | history
lib/dnssec.c patch | blob | blame | history

diff --git a/NEWS b/NEWS
index 0b74d5026488be9fd5aeb592fc8611e029c5a80d..52c0bdb61838cd6c5083a969d0a795e053fe32fb 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,10 @@ Improvements
 - net: split the EDNS buffer size into upstream and downstream (!1026)
 - lua-http doh: answer to /dns-query endpoint as well as /doh (!1069)
 
+Bugfixes
+--------
+- avoid an assert() error in stash_rrset() (!1072)
+
 
 Knot Resolver 5.1.3 (2020-09-08)
 ================================
diff --git a/lib/dnssec.c b/lib/dnssec.c
index 50b53f2e0f06a0f73be82e09140168d1e7f71da4..7490a67586c7b5740b0629f6f0d5b17e27d9e62e 100644 (file)
--- a/lib/dnssec.c
+++ b/lib/dnssec.c
@@ -193,14 +193,15 @@ static int kr_rrset_validate_with_key(kr_rrset_validation_ctx_t *vctx,
        }
 
        for (uint16_t i = 0; i < vctx->rrs->len; ++i) {
-               /* Consider every RRSIG that matches owner and covers the class/type. */
+               /* Consider every RRSIG that matches and comes from the same query. */
                const knot_rrset_t *rrsig = vctx->rrs->at[i]->rr;
-               if (rrsig->type != KNOT_RRTYPE_RRSIG) {
+               const bool ok = vctx->rrs->at[i]->qry_uid == vctx->qry_uid
+                       && rrsig->type == KNOT_RRTYPE_RRSIG
+                       && rrsig->rclass == covered->rclass
+                       && knot_dname_is_equal(rrsig->owner, covered->owner);
+               if (!ok)
                        continue;
-               }
-               if ((covered->rclass != rrsig->rclass) || !knot_dname_is_equal(covered->owner, rrsig->owner)) {
-                       continue;
-               }
+
                knot_rdata_t *rdata_j = rrsig->rrs.rdata;
                for (uint16_t j = 0; j < rrsig->rrs.count; ++j, rdata_j = knot_rdataset_next(rdata_j)) {
                        int val_flgs = 0;
Mirror of https://gitlab.nic.cz/knot/knot-resolver.git