From: Vladimír Čunát Date: Wed, 16 May 2018 08:19:48 +0000 (+0200) Subject: validate: be more careful with marking RRs as insecure X-Git-Tag: v2.4.0~40^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f37d6c25402e1b36e2902d1e36ce2022dbf215da;p=thirdparty%2Fknot-resolver.git validate: be more careful with marking RRs as insecure In case of referrals the authoritative server might add also another NS record(s), and this might lead to downgrading the corresponding zones. Regressed probably in f0da0a35 !505. --- diff --git a/NEWS b/NEWS index c99207441..3b994abc8 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,8 @@ +Security +-------- +- fix a rare case of zones incorrectly dowgraded to insecure status + + Knot Resolver 2.3.0 (2018-04-23) ================================ diff --git a/lib/layer/validate.c b/lib/layer/validate.c index 38cd169f4..c6ecf4408 100644 --- a/lib/layer/validate.c +++ b/lib/layer/validate.c @@ -420,13 +420,17 @@ static int update_delegation(struct kr_request *req, struct kr_query *qry, knot_ /* Rank the corresponding nonauth NS as insecure. */ for (int i = 0; i < req->auth_selected.len; ++i) { ranked_rr_array_entry_t *ns = req->auth_selected.at[i]; - if (ns->qry_uid != qry->uid || !ns->rr + if (ns->qry_uid != qry->uid + || !ns->rr || ns->rr->type != KNOT_RRTYPE_NS) { continue; } + if (!referral && !knot_dname_is_equal(qry->sname, ns->rr->owner)) { + continue; + } /* Found the record. Note: this is slightly fragile * in case there were more NS records in the packet. - * As it is now, kr_nsec*_ref_to_unsigned consider + * As it is now for referrals, kr_nsec*_ref_to_unsigned consider * (only) the first NS record in the packet. */ if (!kr_rank_test(ns->rank, KR_RANK_AUTH)) { /* sanity */ ns->rank = KR_RANK_INSECURE;