From f37d6c25402e1b36e2902d1e36ce2022dbf215da Mon Sep 17 00:00:00 2001 From: =?utf8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Wed, 16 May 2018 10:19:48 +0200 Subject: [PATCH] validate: be more careful with marking RRs as insecure In case of referrals the authoritative server might add also another NS record(s), and this might lead to downgrading the corresponding zones. Regressed probably in f0da0a35 !505. --- NEWS | 5 +++++ lib/layer/validate.c | 8 ++++++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/NEWS b/NEWS index c99207441..3b994abc8 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,8 @@ +Security +-------- +- fix a rare case of zones incorrectly dowgraded to insecure status + + Knot Resolver 2.3.0 (2018-04-23) ================================ diff --git a/lib/layer/validate.c b/lib/layer/validate.c index 38cd169f4..c6ecf4408 100644 --- a/lib/layer/validate.c +++ b/lib/layer/validate.c @@ -420,13 +420,17 @@ static int update_delegation(struct kr_request *req, struct kr_query *qry, knot_ /* Rank the corresponding nonauth NS as insecure. */ for (int i = 0; i < req->auth_selected.len; ++i) { ranked_rr_array_entry_t *ns = req->auth_selected.at[i]; - if (ns->qry_uid != qry->uid || !ns->rr + if (ns->qry_uid != qry->uid + || !ns->rr || ns->rr->type != KNOT_RRTYPE_NS) { continue; } + if (!referral && !knot_dname_is_equal(qry->sname, ns->rr->owner)) { + continue; + } /* Found the record. Note: this is slightly fragile * in case there were more NS records in the packet. - * As it is now, kr_nsec*_ref_to_unsigned consider + * As it is now for referrals, kr_nsec*_ref_to_unsigned consider * (only) the first NS record in the packet. */ if (!kr_rank_test(ns->rank, KR_RANK_AUTH)) { /* sanity */ ns->rank = KR_RANK_INSECURE; -- 2.47.2