Change default TTL of NSEC3PARAM to SOA MINIMUM

Despite the RFC says that the NSEC3PARAM is not something that is
intended for the resolver to be cached, and thus the TTL of 0 is most
logical, a zero TTL RRset can be abused by bad actors.

Change the default to SOA MINIMUM.

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index fe7cb5bed3dfc7b4a2167d77e8fde4383ea943dc..f8a7ab463309f08154f0660432ef6c5828851515 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -8120,6 +8120,7 @@ fixup_nsec3param(dns_db_t *db, dns_dbversion_t *ver, dns_nsec3chain_t *chain,
        dns_rdata_t rdata = DNS_RDATA_INIT;
        dns_rdataset_t rdataset;
        dns_rdata_nsec3param_t nsec3param;
+       dns_rdata_soa_t soa;
        isc_result_t result;
        isc_buffer_t buffer;
        unsigned char parambuf[DNS_NSEC3PARAM_BUFFERSIZE];
@@ -8130,6 +8131,21 @@ fixup_nsec3param(dns_db_t *db, dns_dbversion_t *ver, dns_nsec3chain_t *chain,
 
        result = dns_db_getoriginnode(db, &node);
        RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+       /* Default TTL is SOA MINIMUM */
+       result = dns_db_findrdataset(db, node, ver, dns_rdatatype_soa, 0, 0,
+                                    &rdataset, NULL);
+       if (result == ISC_R_SUCCESS) {
+               CHECK(dns_rdataset_first(&rdataset));
+               dns_rdataset_current(&rdataset, &rdata);
+               CHECK(dns_rdata_tostruct(&rdata, &soa, NULL));
+               ttl = soa.minimum;
+               dns_rdata_reset(&rdata);
+       }
+       if (dns_rdataset_isassociated(&rdataset)) {
+               dns_rdataset_disassociate(&rdataset);
+       }
+
        result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param, 0,
                                     0, &rdataset, NULL);
        if (result == ISC_R_NOTFOUND) {