From: Grigorii Demidov Date: Wed, 22 Mar 2017 12:18:06 +0000 (+0100) Subject: layer/validate: check if NSEC3 records in wildcard expansion proof has an optout X-Git-Tag: v1.3.0~23^2~50^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2e54ca786d497b281b5d65c3003f9313b6e7b419;p=thirdparty%2Fknot-resolver.git layer/validate: check if NSEC3 records in wildcard expansion proof has an optout --- diff --git a/lib/dnssec.c b/lib/dnssec.c index 8a0c01640..de209e2da 100644 --- a/lib/dnssec.c +++ b/lib/dnssec.c @@ -214,6 +214,10 @@ int kr_rrset_validate_with_key(kr_rrset_validation_ctx_t *vctx, ret = kr_nsec_wildcard_answer_response_check(pkt, KNOT_AUTHORITY, covered->owner); } else { ret = kr_nsec3_wildcard_answer_response_check(pkt, KNOT_AUTHORITY, covered->owner, trim_labels - 1); + if (ret == kr_error(DNSSEC_OUT_OF_RANGE)) { + ret = 0; + vctx->flags |= KR_DNSSEC_VFLG_OPTOUT; + } } if (ret != 0) { continue; diff --git a/lib/dnssec.h b/lib/dnssec.h index 598c5324f..cab3cf46b 100644 --- a/lib/dnssec.h +++ b/lib/dnssec.h @@ -43,6 +43,7 @@ void kr_crypto_reinit(void); struct dseckey; #define KR_DNSSEC_VFLG_WEXPAND 0x01 +#define KR_DNSSEC_VFLG_OPTOUT 0x02 /** DNSSEC validation context. */ struct kr_rrset_validation_ctx { diff --git a/lib/dnssec/nsec3.c b/lib/dnssec/nsec3.c index c8585fa44..34ddd7459 100644 --- a/lib/dnssec/nsec3.c +++ b/lib/dnssec/nsec3.c @@ -669,7 +669,8 @@ int kr_nsec3_wildcard_answer_response_check(const knot_pkt_t *pkt, knot_section_ return ret; } if (flags & FLG_NAME_COVERED) { - return kr_ok(); + return has_optout(rrset) ? + kr_error(DNSSEC_OUT_OF_RANGE) : kr_ok(); } } diff --git a/lib/dnssec/nsec3.h b/lib/dnssec/nsec3.h index ca0d0e3e6..24f182336 100644 --- a/lib/dnssec/nsec3.h +++ b/lib/dnssec/nsec3.h @@ -35,7 +35,10 @@ int kr_nsec3_name_error_response_check(const knot_pkt_t *pkt, knot_section_t sec * @param section_id Packet section to be processed. * @param sname Name to be checked. * @param trim_to_next Number of labels to remove to obtain next closer name. - * @return 0 or error code. + * @return 0 or error code: + * DNSSEC_OUT_OF_RANGE - NSEC3 RR that covers a wildcard + * has been found, but has opt-out flag set; + * otherwise - error. */ int kr_nsec3_wildcard_answer_response_check(const knot_pkt_t *pkt, knot_section_t section_id, const knot_dname_t *sname, int trim_to_next); diff --git a/lib/layer/validate.c b/lib/layer/validate.c index 94292f4ea..01140aa43 100644 --- a/lib/layer/validate.c +++ b/lib/layer/validate.c @@ -166,11 +166,15 @@ static int validate_records(struct kr_request *req, knot_pkt_t *answer, knot_mm_ } /* Records were validated. - * If there is wildcard expansion in answer, flag the query. + * If there is wildcard expansion in answer, + * or optout - flag the query. */ if (an_flags & KR_DNSSEC_VFLG_WEXPAND) { qry->flags |= QUERY_DNSSEC_WEXPAND; } + if (an_flags & KR_DNSSEC_VFLG_OPTOUT) { + qry->flags |= QUERY_DNSSEC_OPTOUT; + } return ret; } @@ -225,10 +229,12 @@ static int validate_keyset(struct kr_request *req, knot_pkt_t *answer, bool has_ return ret; } - if (vctx.flags & KR_DNSSEC_VFLG_WEXPAND) - { + if (vctx.flags & KR_DNSSEC_VFLG_WEXPAND) { qry->flags |= QUERY_DNSSEC_WEXPAND; } + if (vctx.flags & KR_DNSSEC_VFLG_OPTOUT) { + qry->flags |= QUERY_DNSSEC_OPTOUT; + } } return kr_ok();