From: Matthijs Mekking Date: Wed, 12 Oct 2022 14:24:13 +0000 (+0200) Subject: Change default TTL of NSEC3PARAM to SOA MINIMUM X-Git-Tag: v9.19.8~63^2~2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=53eab060837ddf792a0da5d8424fe955c190d375;p=thirdparty%2Fbind9.git Change default TTL of NSEC3PARAM to SOA MINIMUM Despite the RFC says that the NSEC3PARAM is not something that is intended for the resolver to be cached, and thus the TTL of 0 is most logical, a zero TTL RRset can be abused by bad actors. Change the default to SOA MINIMUM. --- diff --git a/lib/dns/zone.c b/lib/dns/zone.c index fe7cb5bed3d..f8a7ab46330 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -8120,6 +8120,7 @@ fixup_nsec3param(dns_db_t *db, dns_dbversion_t *ver, dns_nsec3chain_t *chain, dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdataset_t rdataset; dns_rdata_nsec3param_t nsec3param; + dns_rdata_soa_t soa; isc_result_t result; isc_buffer_t buffer; unsigned char parambuf[DNS_NSEC3PARAM_BUFFERSIZE]; @@ -8130,6 +8131,21 @@ fixup_nsec3param(dns_db_t *db, dns_dbversion_t *ver, dns_nsec3chain_t *chain, result = dns_db_getoriginnode(db, &node); RUNTIME_CHECK(result == ISC_R_SUCCESS); + + /* Default TTL is SOA MINIMUM */ + result = dns_db_findrdataset(db, node, ver, dns_rdatatype_soa, 0, 0, + &rdataset, NULL); + if (result == ISC_R_SUCCESS) { + CHECK(dns_rdataset_first(&rdataset)); + dns_rdataset_current(&rdataset, &rdata); + CHECK(dns_rdata_tostruct(&rdata, &soa, NULL)); + ttl = soa.minimum; + dns_rdata_reset(&rdata); + } + if (dns_rdataset_isassociated(&rdataset)) { + dns_rdataset_disassociate(&rdataset); + } + result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param, 0, 0, &rdataset, NULL); if (result == ISC_R_NOTFOUND) {