validator: avoid assertion in an edge-case

Case: NSEC3 with too many iterations used for a positive wildcard proof.

To really fix the answers, this also needed fixing the `any_rank` part
which I somehow forgot in commit 7107faebc :-(

diff --git a/NEWS b/NEWS
index 813e6c89beabb30b893323b1ee309fc04163cb6b..b296d9a71d6c0a63c8325ff9ae76539756ce0478 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,11 @@
 Knot Resolver 5.3.2 (2021-0m-dd)
 ================================
 
+Security
+--------
+- validator: fix 5.3.1 regression on over-limit NSEC3 edge case (!1169)
+  Assertion might be triggered by query/answer, potentially DoS.
+
 Improvements
 ------------
 - cache: improve handling write errors from LMDB (!1159)

diff --git a/lib/dnssec/nsec3.c b/lib/dnssec/nsec3.c
index e9e536a3c85c3267a841b6dd66179cc5fc316b6d..f3a48c06049634dcff8efbbd5d8a2a14f750f7c9 100644 (file)
--- a/lib/dnssec/nsec3.c
+++ b/lib/dnssec/nsec3.c
@@ -596,6 +596,13 @@ int kr_nsec3_wildcard_answer_response_check(const knot_pkt_t *pkt, knot_section_
                if (rrset->type != KNOT_RRTYPE_NSEC3) {
                        continue;
                }
+               if (knot_nsec3_iters(rrset->rrs.rdata) > KR_NSEC3_MAX_ITERATIONS) {
+                       /* Avoid hashing with too many iterations.
+                        * If we get here, the `sname` wildcard probably ends up bogus,
+                        * but it gets downgraded to KR_RANK_INSECURE when validator
+                        * gets to verifying one of these over-limit NSEC3 RRs. */
+                       continue;
+               }
                int ret = covers_name(&flags, rrset, sname);
                if (ret != 0) {
                        return ret;

diff --git a/lib/dnssec/nsec3.h b/lib/dnssec/nsec3.h
index 1e316f56922d2a98d424308df9e67699627e896e..0fdbfcef0541ae0a1745d75a2ec3d5c62a7b1433 100644 (file)
--- a/lib/dnssec/nsec3.h
+++ b/lib/dnssec/nsec3.h
@@ -39,6 +39,7 @@ int kr_nsec3_name_error_response_check(const knot_pkt_t *pkt, knot_section_t sec
  *                     KNOT_ERANGE - NSEC3 RR that covers a wildcard
  *                     has been found, but has opt-out flag set;
  *                     otherwise - error.
+ * Records over KR_NSEC3_MAX_ITERATIONS are skipped, so you probably get kr_error(ENOENT).
  */
 int kr_nsec3_wildcard_answer_response_check(const knot_pkt_t *pkt, knot_section_t section_id,
                                             const knot_dname_t *sname, int trim_to_next);

diff --git a/lib/layer/validate.c b/lib/layer/validate.c
index cf5dda2de79946a491363bc85f19fa7f1221bebc..cf5c88a1e27264baebd208aa61de6d4b78cd2694 100644 (file)
--- a/lib/layer/validate.c
+++ b/lib/layer/validate.c
@@ -894,7 +894,8 @@ static void rank_records(struct kr_query *qry, bool any_rank, enum kr_rank rank_
                                                                 bailiwick) < 0) {
                                continue;
                        }
-                       if (kr_rank_test(entry->rank, KR_RANK_INITIAL)
+                       if (any_rank
+                           || kr_rank_test(entry->rank, KR_RANK_INITIAL)
                            || kr_rank_test(entry->rank, KR_RANK_TRY)
                            || kr_rank_test(entry->rank, KR_RANK_MISSING)) {
                                kr_rank_set(&entry->rank, rank_to_set);

diff --git a/tests/integration/deckard b/tests/integration/deckard
index 01eabd23dc3315ef9d27ae7f5fe19c142dcbdfdb..c4628156e6cf499e8052c321b24793a176ded494 160000 (submodule)
--- a/tests/integration/deckard
+++ b/tests/integration/deckard
@@ -1 +1 @@
-Subproject commit 01eabd23dc3315ef9d27ae7f5fe19c142dcbdfdb
+Subproject commit c4628156e6cf499e8052c321b24793a176ded494