+3348. [security] prevent RRSIG data from being cached if a negative
+ record matching the covering type exists at a higher
+ trust level. Such data already can't be retrieved from
+ the cache since change 3218 -- this prevents it
+ being inserted into the cache as well. [RT #26809]
+
3346. [security] Bad-cache data could be used before it was
initialized, causing an assert. [RT #30025]
negtype = 0;
if (rbtversion == NULL && !newheader_nx) {
rdtype = RBTDB_RDATATYPE_BASE(newheader->type);
+ covers = RBTDB_RDATATYPE_EXT(newheader->type);
+ sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, covers);
if (NEGATIVE(newheader)) {
/*
* We're adding a negative cache entry.
*/
- covers = RBTDB_RDATATYPE_EXT(newheader->type);
- sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig,
- covers);
for (topheader = rbtnode->data;
topheader != NULL;
topheader = topheader->next) {
* We're adding something that isn't a
* negative cache entry. Look for an extant
* non-stale NXDOMAIN/NODATA(QTYPE=ANY) negative
- * cache entry.
+ * cache entry. If we're adding an RRSIG, also
+ * check for an extant non-stale NODATA ncache
+ * entry which covers the same type as the RRSIG.
*/
for (topheader = rbtnode->data;
topheader != NULL;
topheader = topheader->next) {
- if (topheader->type ==
- RBTDB_RDATATYPE_NCACHEANY)
- break;
+ if ((topheader->type ==
+ RBTDB_RDATATYPE_NCACHEANY) ||
+ (newheader->type == sigtype &&
+ topheader->type ==
+ RBTDB_RDATATYPE_VALUE(0, covers))) {
+ break;
+ }
}
if (topheader != NULL && EXISTS(topheader) &&
topheader->rdh_ttl > now) {
}
/*
* The new rdataset is better. Expire the
- * NXDOMAIN/NODATA(QTYPE=ANY).
+ * ncache entry.
*/
set_ttl(rbtdb, topheader, 0);
topheader->attributes |= RDATASET_ATTR_STALE;
projects / thirdparty / bind9.git / commitdiff
