From: Vladimír Čunát <vladimir.cunat@nic.cz>
Date: Tue, 4 Apr 2017 11:54:55 +0000 (+0200)
Subject: rrcache: harden against spoofing, again
X-Git-Tag: v1.3.0~23^2~24
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3701c86eb098ba8e5718f0929c1c19fff43decd5;p=thirdparty%2Fknot-resolver.git

rrcache: harden against spoofing, again

This fixes the iter_ns_spoof test.
---

diff --git a/lib/layer/rrcache.c b/lib/layer/rrcache.c
index a9c725472..939bc4503 100644
--- a/lib/layer/rrcache.c
+++ b/lib/layer/rrcache.c
@@ -246,10 +246,13 @@ static int commit_rr(const char *key, void *val, void *data)
 	if (KEY_COVERING_RRSIG(key)) {
 		return commit_rrsig(baton, rank, KR_CACHE_FLAG_NONE, rr);
 	}
-	/* Accept only better or equal rank if not secure */
+	/* Accept only better rank if not secure. */
 	if (!(rank & KR_RANK_SECURE)) {
 		int cached_rank = kr_cache_peek_rank(baton->cache, KR_CACHE_RR, rr->owner, rr->type, baton->timestamp);
-		if (cached_rank > rank) {
+		/* If equal rank was accepted, spoofing a single answer would be enough
+		 * to e.g. override NS record in AUTHORITY section.
+		 * This way they would have to hit the first answer (whenever TTL expires). */
+		if (cached_rank >= rank) {
 			return kr_ok();
 		}
 	}