From: Mark Andrews Date: Fri, 5 Sep 2014 02:10:55 +0000 (+1000) Subject: 3945. [bug] Invalid wildcard expansions could be incorrectly X-Git-Tag: v9.8.8rc2~8 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=770e4721c6ccc908105dce1cb701409c01a72ec0;p=thirdparty%2Fbind9.git 3945. [bug] Invalid wildcard expansions could be incorrectly accepted by the validator. [RT #37093] (cherry picked from commit 2fa1fc53324c0fca978c902e883c7cc011210536) --- diff --git a/CHANGES b/CHANGES index aa8754ea82e..a8aa630b020 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +3945. [bug] Invalid wildcard expansions could be incorrectly + accepted by the validator. [RT #37093] + 3942. [bug] Wildcard responses from a optout range should be marked as insecure. [RT #37072] diff --git a/lib/dns/nsec.c b/lib/dns/nsec.c index 8da1ac84b35..45228075594 100644 --- a/lib/dns/nsec.c +++ b/lib/dns/nsec.c @@ -421,7 +421,7 @@ dns_nsec_noexistnodata(dns_rdatatype_t type, dns_name_t *name, nlabels, &common); } result = dns_name_concatenate(dns_wildcardname, &common, - wild, NULL); + wild, NULL); if (result != ISC_R_SUCCESS) { dns_rdata_freestruct(&nsec); (*logit)(arg, ISC_LOG_DEBUG(3), diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 67194b6bd3a..1291cbf40de 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -4916,10 +4916,17 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo, } } - if (valrdataset != NULL) - result = valcreate(fctx, addrinfo, name, fctx->type, - valrdataset, valsigrdataset, valoptions, - task); + if (valrdataset != NULL) { + dns_rdatatype_t vtype = fctx->type; + if (CHAINING(valrdataset)) { + if (valrdataset->type == dns_rdatatype_cname) + vtype = dns_rdatatype_cname; + else + vtype = dns_rdatatype_dname; + } + result = valcreate(fctx, addrinfo, name, vtype, valrdataset, + valsigrdataset, valoptions, task); + } if (result == ISC_R_SUCCESS && have_answer) { fctx->attributes |= FCTX_ATTR_HAVEANSWER; diff --git a/lib/dns/validator.c b/lib/dns/validator.c index dd1804945b2..dc35e926ae9 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -918,12 +918,26 @@ authvalidated(isc_task_t *task, isc_event_t *event) { devent->name; } if (!exists) { + dns_name_t *closest; + unsigned int clabels; + val->attributes |= VALATTR_FOUNDNOQNAME; - val->attributes |= VALATTR_FOUNDCLOSEST; + + closest = dns_fixedname_name(&val->closest); + clabels = dns_name_countlabels(closest); + /* + * If we are validating a wildcard response + * clabels will not be zero. We then need + * to check if the generated wilcard from + * dns_nsec_noexistnodata is consistent with + * the wildcard used to generate the response. + */ + if (clabels == 0 || + dns_name_countlabels(wild) == clabels + 1) + val->attributes |= VALATTR_FOUNDCLOSEST; /* * The NSEC noqname proof also contains * the closest encloser. - */ if (NEEDNOQNAME(val)) proofs[DNS_VALIDATOR_NOQNAMEPROOF] = @@ -2800,7 +2814,8 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) { if (!NEEDNODATA(val) && !NEEDNOWILDCARD(val) && NEEDNOQNAME(val)) { if (!FOUNDNOQNAME(val)) findnsec3proofs(val); - if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val) && !FOUNDOPTOUT(val)) { + if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val) && + !FOUNDOPTOUT(val)) { validator_log(val, ISC_LOG_DEBUG(3), "marking as secure, noqname proof found"); marksecure(val->event);