git.ipfire.org Git - thirdparty/bind9.git/commit

author	Mark Andrews <marka@isc.org>
	Wed, 1 Dec 2021 13:34:38 +0000 (00:34 +1100)
committer	Petr Špaček <pspacek@isc.org>
	Thu, 2 Dec 2021 13:27:18 +0000 (14:27 +0100)
commit	0aaaa8768f317db2a92fd311122889f6cb8afe50
tree	f90a61f0218d7535e04ee0db58732589444cd2e6	tree \| snapshot
parent	8878adcd6124f6e3629332d31937a28caf0d28ea	commit \| diff

Reject NSEC records with next field with \000 label

A number of DNS implementation produce NSEC records with bad type
maps that don't contain types that exist at the name leading to
NODATA responses being synthesize instead of the records in the
zone. NSEC records with these bad type maps often have the NSEC
NSEC field set to '\000.QNAME'. We look for the first label of
this pattern.

e.g.
example.com NSEC \000.example.com SOA NS NSEC RRSIG
example.com RRRSIG NSEC ...
example.com SOA ...
example.com RRRSIG SOA ...
example.com NS ...
example.com RRRSIG NS ...
example.com A ...
example.com RRRSIG A ...

A is missing from the type map.

This introduces a temporary option 'reject-000-label' to control
this behaviour.

bin/named/config.c		diff \| blob \| blame \| history
bin/named/named.conf.rst		diff \| blob \| blame \| history
bin/named/server.c		diff \| blob \| blame \| history
doc/arm/reference.rst		diff \| blob \| blame \| history
doc/man/named.conf.5in		diff \| blob \| blame \| history
doc/misc/options		diff \| blob \| blame \| history
doc/misc/options.active		diff \| blob \| blame \| history
doc/misc/options.grammar.rst		diff \| blob \| blame \| history
lib/dns/include/dns/view.h		diff \| blob \| blame \| history
lib/dns/resolver.c		diff \| blob \| blame \| history
lib/dns/view.c		diff \| blob \| blame \| history
lib/isccfg/namedconf.c		diff \| blob \| blame \| history