From: Pieter Lexis Date: Tue, 10 May 2016 10:47:46 +0000 (+0200) Subject: Check/fix invalid NSEC3PARAM hash algo X-Git-Tag: auth-4.0.0-alpha3^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F3827%2Fhead;p=thirdparty%2Fpdns.git Check/fix invalid NSEC3PARAM hash algo --- diff --git a/modules/bindbackend/binddnssec.cc b/modules/bindbackend/binddnssec.cc index 9d15e61e5e..7e033569a7 100644 --- a/modules/bindbackend/binddnssec.cc +++ b/modules/bindbackend/binddnssec.cc @@ -172,6 +172,11 @@ bool Bind2Backend::getNSEC3PARAM(const DNSName& name, NSEC3PARAMRecordContent* n ns3p->d_iterations = maxNSEC3Iterations; L<d_algorithm != 1) { + L<d_algorithm)<<"', setting to 1 for zone '"<d_algorithm = 1; + } } return true; diff --git a/pdns/dbdnsseckeeper.cc b/pdns/dbdnsseckeeper.cc index e12fae21e7..644c782517 100644 --- a/pdns/dbdnsseckeeper.cc +++ b/pdns/dbdnsseckeeper.cc @@ -265,6 +265,10 @@ bool DNSSECKeeper::getNSEC3PARAM(const DNSName& zname, NSEC3PARAMRecordContent* ns3p->d_iterations = maxNSEC3Iterations; L<d_algorithm != 1) { + L<d_algorithm)<<"', setting to 1 for zone '"<d_algorithm = 1; + } } if(narrow) { getFromMeta(zname, "NSEC3NARROW", value); @@ -279,6 +283,9 @@ bool DNSSECKeeper::setNSEC3PARAM(const DNSName& zname, const NSEC3PARAMRecordCon if (ns3p.d_iterations > maxNSEC3Iterations) throw runtime_error("Can't set NSEC3PARAM for zone '"+zname.toString()+"': number of NSEC3 iterations is above 'max-nsec3-iterations'"); + if (ns3p.d_algorithm != 1) + throw runtime_error("Invalid hash algorithm for NSEC3: '"+std::to_string(ns3p.d_algorithm)+"' for zone '"+zname.toString()+"'. The only valid value is '1'"); + clearCaches(zname); string descr = ns3p.getZoneRepresentation(); vector meta;