]> git.ipfire.org Git - thirdparty/knot-resolver.git/commitdiff
validate: be more careful with marking RRs as insecure
authorVladimír Čunát <vladimir.cunat@nic.cz>
Wed, 16 May 2018 08:19:48 +0000 (10:19 +0200)
committerVladimír Čunát <vladimir.cunat@nic.cz>
Wed, 16 May 2018 08:26:42 +0000 (10:26 +0200)
In case of referrals the authoritative server might add also another NS
record(s), and this might lead to downgrading the corresponding zones.
Regressed probably in f0da0a35 !505.

NEWS
lib/layer/validate.c

diff --git a/NEWS b/NEWS
index c99207441b1b02300334f475bfc83d3314394f9b..3b994abc83d61a2225fe0b7d330b736e2a1ec866 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,8 @@
+Security
+--------
+- fix a rare case of zones incorrectly dowgraded to insecure status
+
+
 Knot Resolver 2.3.0 (2018-04-23)
 ================================
 
index 38cd169f48af393574d3f08c2f5ab790b50eb904..c6ecf44089705da541253526c1b108ae044dd825 100644 (file)
@@ -420,13 +420,17 @@ static int update_delegation(struct kr_request *req, struct kr_query *qry, knot_
                        /* Rank the corresponding nonauth NS as insecure. */
                        for (int i = 0; i < req->auth_selected.len; ++i) {
                                ranked_rr_array_entry_t *ns = req->auth_selected.at[i];
-                               if (ns->qry_uid != qry->uid || !ns->rr
+                               if (ns->qry_uid != qry->uid
+                                   || !ns->rr
                                    || ns->rr->type != KNOT_RRTYPE_NS) {
                                        continue;
                                }
+                               if (!referral && !knot_dname_is_equal(qry->sname, ns->rr->owner)) {
+                                       continue;
+                               }
                                /* Found the record.  Note: this is slightly fragile
                                 * in case there were more NS records in the packet.
-                                * As it is now, kr_nsec*_ref_to_unsigned consider
+                                * As it is now for referrals, kr_nsec*_ref_to_unsigned consider
                                 * (only) the first NS record in the packet. */
                                if (!kr_rank_test(ns->rank, KR_RANK_AUTH)) { /* sanity */
                                        ns->rank = KR_RANK_INSECURE;