From: Wouter Wijngaards Date: Tue, 28 Aug 2007 09:47:17 +0000 (+0000) Subject: No offtree signing. X-Git-Tag: release-0.5~87 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=af2b30052910a3e749dd93107d15065607f273b3;p=thirdparty%2Funbound.git No offtree signing. git-svn-id: file:///svn/unbound/trunk@554 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/doc/Changelog b/doc/Changelog index b093782e7..00ecadefd 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -5,6 +5,7 @@ and stores the rrsets in the cache. Further referral (nonRD queries) replies are made from the rrset cache directly. Unless unchecked rrsets are encountered, there are then validated. + - enforce that signing is done by a parent domain (or same domain). 27 August 2007: Wouter - do not garble the edns if a cache answer fails. diff --git a/validator/val_sigcrypt.c b/validator/val_sigcrypt.c index 7da9356ed..a180be57f 100644 --- a/validator/val_sigcrypt.c +++ b/validator/val_sigcrypt.c @@ -1329,6 +1329,10 @@ dnskey_verify_rrset_sig(struct module_env* env, struct val_env* ve, verbose(VERB_ALGO, "verify: malformed signer name"); return sec_status_bogus; /* signer name invalid */ } + if(!dname_subdomain_c(rrset->rk.dname, signer)) { + verbose(VERB_ALGO, "verify: signer name is off-tree"); + return sec_status_bogus; /* signer name offtree */ + } sigblock = (unsigned char*)signer+signer_len; if(siglen < 2+18+signer_len+1) { verbose(VERB_ALGO, "verify: too short, no signature data");