From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 13 Jan 2016 01:29:31 +0000 (+0100)
Subject: resolved: refuse validating wildcard RRs for SOA, NSEC3, DNAME
X-Git-Tag: v229~138^2~7
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e8233bce196a14fa3ebde2969594fcdfa4404e19;p=thirdparty%2Fsystemd.git

resolved: refuse validating wildcard RRs for SOA, NSEC3, DNAME
---

diff --git a/src/resolve/dns-type.c b/src/resolve/dns-type.c
index fb8228048da..47a37fa0a75 100644
--- a/src/resolve/dns-type.c
+++ b/src/resolve/dns-type.c
@@ -120,6 +120,21 @@ bool dns_type_may_redirect(uint16_t type) {
                        DNS_TYPE_KEY);
 }
 
+bool dns_type_may_wildcard(uint16_t type) {
+
+        /* The following records may not be expanded from wildcard RRsets */
+
+        if (dns_type_is_pseudo(type))
+                return false;
+
+        return !IN_SET(type,
+                       DNS_TYPE_NSEC3,
+                       DNS_TYPE_SOA,
+
+                       /* Prohibited by https://tools.ietf.org/html/rfc4592#section-4.4 */
+                       DNS_TYPE_DNAME);
+}
+
 bool dns_type_is_dnssec(uint16_t type) {
         return IN_SET(type,
                       DNS_TYPE_DS,
diff --git a/src/resolve/dns-type.h b/src/resolve/dns-type.h
index 45080fd243a..747bc854e1a 100644
--- a/src/resolve/dns-type.h
+++ b/src/resolve/dns-type.h
@@ -131,6 +131,7 @@ bool dns_type_is_valid_rr(uint16_t type);
 bool dns_type_may_redirect(uint16_t type);
 bool dns_type_is_dnssec(uint16_t type);
 bool dns_type_is_obsolete(uint16_t type);
+bool dns_type_may_wildcard(uint16_t type);
 
 bool dns_class_is_pseudo(uint16_t class);
 bool dns_class_is_valid_rr(uint16_t class);
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
index a18ae56b9ea..6f0f8f837e7 100644
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@@ -548,6 +548,11 @@ int dnssec_verify_rrset(
         r = dns_name_suffix(DNS_RESOURCE_KEY_NAME(key), rrsig->rrsig.labels, &source);
         if (r < 0)
                 return r;
+        if (r > 0 && !dns_type_may_wildcard(rrsig->rrsig.type_covered)) {
+                /* We refuse to validate NSEC3 or SOA RRs that are synthesized from wildcards */
+                *result = DNSSEC_INVALID;
+                return 0;
+        }
         if (r == 1) {
                 /* If we stripped a single label, then let's see if that maybe was "*". If so, we are not really
                  * synthesized from a wildcard, we are the wildcard itself. Treat that like a normal name. */