From: W.C.A. Wijngaards Date: Tue, 21 Apr 2026 11:19:13 +0000 (+0200) Subject: - Fix that a DNAME with an unsigned CNAME is checked for X-Git-Tag: release-1.25.0rc1~3 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=8a25a97687f4fa8978cd739288ceb58caec28997;p=thirdparty%2Funbound.git - Fix that a DNAME with an unsigned CNAME is checked for the correct match. This stops that for certain zone configurations an unchecked unsigned CNAME could get secure status. Thanks to Qifan Zhang, Palo Alto Networks for the report. --- diff --git a/doc/Changelog b/doc/Changelog index 23a65d2ae..12dfb3559 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -34,6 +34,11 @@ the report. - Fix that signatures are not allowed with revoked dnskeys. Thanks to Qifan Zhang, Palo Alto Networks for the report. + - Fix that a DNAME with an unsigned CNAME is checked for + the correct match. This stops that for certain zone + configurations an unchecked unsigned CNAME could get + secure status. Thanks to Qifan Zhang, Palo Alto Networks + for the report. 20 April 2026: Wouter - Fix compile warnings for thread setname routine, and test compile. diff --git a/testdata/dname_unsigned_cname.rpl b/testdata/dname_unsigned_cname.rpl new file mode 100644 index 000000000..60866378f --- /dev/null +++ b/testdata/dname_unsigned_cname.rpl @@ -0,0 +1,297 @@ +; config options +; The island of trust is at test. +server: + trust-anchor: "test. DS 1444 8 2 8a87d067fd09a5965244fe2e317dd26d182c468e0a7f26ecc4c7b479bf89db9b" + val-override-date: "20201020135527" + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no + iter-scrub-promiscuous: no + aggressive-nsec: yes + local-zone: test. nodefault + log-servfail: yes + +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test DNAME with an unsigned CNAME that mismatches the DNAME. +; The CNAME occurs later in a list of redirections. + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +test. IN NS +SECTION AUTHORITY +test. IN NS ns.test. +SECTION ADDITIONAL +ns.test. IN A 1.2.3.5 +ENTRY_END +RANGE_END + +; ns.test +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.5 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +test. IN NS +SECTION ANSWER +test. IN NS ns.test +test. 3600 IN RRSIG NS 8 1 3600 20201116135527 20201019135527 1444 test. RGCxIO32TbbLTk6xZmTr+fjYPH50hntBxeOQ2DIj2pDsmjALcHYtVkOfpfk2EhOhHZd+9PLuoJPbJh6a9NqLSFeBvr0XZoCZoQ2g0tCHUNHcH5EVjA2TuYBQem6DVYnPLJ3914aRx0uA1j42b8dC2xsam/XkOo7U+dLbUW2Os1s= +SECTION ADDITIONAL +ns.test. IN A 1.2.3.5 +ns.test. 3600 IN RRSIG A 8 2 3600 20201116135527 20201019135527 1444 test. GskCc4/k6GjH9V9Jz2V5L2XLiizbOeWkB0feSbf+aN859S3vxVvtuqkvIgwY4LafUO1QAn/pUcv9zA7rcFO++rlg+8t6gvZTo9p3v0bfeIv2uJDsfSBD5jDh0WXlxjekfnrKrQp7zE+GiA93tWwKUWKPvxXDgP+n886e6WcbHJw= +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.test. IN A +SECTION ANSWER +ns.test. IN A 1.2.3.5 +ns.test. 3600 IN RRSIG A 8 2 3600 20201116135527 20201019135527 1444 test. GskCc4/k6GjH9V9Jz2V5L2XLiizbOeWkB0feSbf+aN859S3vxVvtuqkvIgwY4LafUO1QAn/pUcv9zA7rcFO++rlg+8t6gvZTo9p3v0bfeIv2uJDsfSBD5jDh0WXlxjekfnrKrQp7zE+GiA93tWwKUWKPvxXDgP+n886e6WcbHJw= +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.test. IN AAAA +SECTION AUTHORITY +test. 3600 IN SOA ns.test. host.test. 20201 3600 1800 604800 3600 +test. 3600 IN RRSIG SOA 8 1 3600 20201116135527 20201019135527 1444 test. IZJIDmEgf0W7A5G7hvvZ2hUqJ9Trbv1/i7ySapDmPbYV9lVCmHHobySxO01yDhI2/Pvpsvxqrm1Tiv3BxH8uzZ4keKgiQjBsSy4htAsFct9I4E7ly2glPj/Fm3oun3PsjJDv5QYhx0KS7w4IQKU7Nc9pfJc92uoUI5bdoC1pRGw= +ns.test. 3600 IN NSEC nz.test. A RRSIG +ns.test. 3600 IN RRSIG NSEC 8 2 3600 20201116135527 20201019135527 1444 test. PElArVB3KPg8KHAP7lzcNbhFuXNxTsHNTn1dZVncB5qmWRdIaeKpaXDjpH0JSXMaelGFS+/QhuQ6Hmw9+4VyZFRqMzGhw4agUR/2bxABHcDIG4ZpUwyeSP61ATTfHUkQVxaH2wjCWI/tfmesdP2xVE4GXyUvCIBxU914MkZbULU= +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +test. IN DNSKEY +SECTION ANSWER +test. 3600 IN DNSKEY 257 3 8 AwEAAbd9WqjzE2Pynz21OG5doSf9hFzMr5dhzz2waZ3vTa+0o5r7AjTAqmA1yH/B3+aAMihUm5ucZSfVqo7+kOaRE8yFj9aivOmA1n1+JLevJq/oyvQyjxQN2Qb89LyaNUT5oKZIiL+uyyhNW3KDR3SSbQ/GBwQNDHVcZi+JDR3RC0r7 ;{id = 1444 (ksk), size = 1024b} +test. 3600 IN RRSIG DNSKEY 8 1 3600 20201116135527 20201019135527 1444 test. UmRMS4iG9NBBHZYOtpwFFcJgbEb5SfHSgHd9XRe/8pTWM31WSDayn5ViPOBMqI1T5TXg2amc13dDI574xIM2oKMus3b5cBW72jJLW13jprBtslO6P8BMWb4HNnvLrJtQjwf3ErRirtTxinLmywQtmyr1cdthyG3Gp4N7i90fHSc= +SECTION ADDITIONAL +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qname qtype +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +example.test. IN DS +SECTION ANSWER +example.test. 3600 IN DS 55567 8 2 a2d578906330a10a57d40462257b6ce038bad3f7bf4a45c46c46086e20a94b39 +example.test. 3600 IN RRSIG DS 8 2 3600 20201116135527 20201019135527 1444 test. P7+FTYW2qHuJ4I1YbuvseEz5X1lOYAraGEHB3C5y0OOCQFmhmSiFRdquNi2NlpcS6FXLdsE0EU+Bo1+0atTG4EkMWXbpF21lrtbB51BdsnlX4Mzc/o375fvjiOMwmF6wPCUaOUN62jrVrhsE/hedaVyDphDToqL17ETohwgUO2I= +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +example.test. IN NS +SECTION AUTHORITY +example.test. IN NS ns.example.test. +example.test. 3600 IN DS 55567 8 2 a2d578906330a10a57d40462257b6ce038bad3f7bf4a45c46c46086e20a94b39 +example.test. 3600 IN RRSIG DS 8 2 3600 20201116135527 20201019135527 1444 test. P7+FTYW2qHuJ4I1YbuvseEz5X1lOYAraGEHB3C5y0OOCQFmhmSiFRdquNi2NlpcS6FXLdsE0EU+Bo1+0atTG4EkMWXbpF21lrtbB51BdsnlX4Mzc/o375fvjiOMwmF6wPCUaOUN62jrVrhsE/hedaVyDphDToqL17ETohwgUO2I= +SECTION ADDITIONAL +ns.example.test. IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +fox.test. IN NS +SECTION AUTHORITY +fox.test. IN NS ns.fox.test. +fox.test. 3600 IN DS 29332 8 2 5b06f16c7b8cc07ba7b8e1ab0a40a40ecf89e1e94da2f0b1d2159b64dba80d96 +fox.test. 3600 IN RRSIG DS 8 2 3600 20201116135527 20201019135527 1444 test. B9bKqUJgJcGlKSWyGkdGGS6unKUwNJteTq08caL40QEZcAy836vwypGzOIQJNUw+mYIEecvtrF9H4mG+EjzDKv+n+36DCNvJMn6b8+FC9COw4mqITAjYPZjDwtOXAKVbuBuZJsbP2ztacJ98tXcORozaaKDGH/3fmsUlaKcuPmo= +SECTION ADDITIONAL +ns.fox.test. IN A 1.2.3.6 +ENTRY_END +RANGE_END + +; ns.example.test. +RANGE_BEGIN 0 15 + ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example.test. IN NS +SECTION ANSWER +example.test. IN NS ns.example.test. +example.test. 3600 IN RRSIG NS 8 2 3600 20201116135527 20201019135527 55567 example.test. l1JT0wMlK0YI7/CWHzexf/k0iafUhCgN+BdgjBXIRXmSQNf4HDTiAkbcWL2/15qtnp12nQy9JeiTdSQ3vtPoHAJX4C5uTWaze4ms+Wrrf+n92sLCjacP9x50uuicH3URT6cKb1QCAPwlvlWxIlZjAMYFScSns7+C441NMJT8aE4= +SECTION ADDITIONAL +ns.example.test. IN A 1.2.3.4 +ns.example.test. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55567 example.test. 2PWaVaccZFQgfPKXNsdEGYUVaashCAj1ZhBo9XRt5eQKUFvZcauBjMnXIuxZFyWeootn1fZGw6GuPI5W48Y0FDx38H6adprkFgQikso2Y64jDdDMWznSo38Z/XqP+U0+kq4vmwonvmEMpm7hKnNEXvhqGKyGzyBwb+CZVJ2L8Eo= +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.example.test. IN A +SECTION ANSWER +ns.example.test. IN A 1.2.3.4 +ns.example.test. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55567 example.test. 2PWaVaccZFQgfPKXNsdEGYUVaashCAj1ZhBo9XRt5eQKUFvZcauBjMnXIuxZFyWeootn1fZGw6GuPI5W48Y0FDx38H6adprkFgQikso2Y64jDdDMWznSo38Z/XqP+U0+kq4vmwonvmEMpm7hKnNEXvhqGKyGzyBwb+CZVJ2L8Eo= +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.example.test. IN AAAA +SECTION AUTHORITY +example.test. 3600 IN SOA ns.example.test. host.example.test. 20301 3600 1800 604800 3600 +example.test. 3600 IN RRSIG SOA 8 2 3600 20201116135527 20201019135527 55567 example.test. 2UUkScBAN37fJpSrelhE8DotKvmOzj3q9wicaanCIaCv95DE4nQnePih5B+ek3FIRjB/Uv2+z4Ro5Uxy94XAnlK0rCkDLSa0U9U7KP0ytc88sevO0x1SCPAMoZoJO6JqHkv42pdh54WSz+Zb/D8npY0j/tksHe/uX+VQnMymgb8= +ns.example.test. 3600 IN NSEC nz.example.test. A RRSIG +ns.example.test. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55567 example.test. v/5aO/n8Ow21y7LE7JKZsFkUJU5MjIfadVRm2Tdb8f3RLwYDdBTs3aWeeEQdCRSUF61TmfJM1jIxlWQPuHbqzGnjSk7adw9gFpP7wFwoqG3/xdCFHoxo/3/1F/4Ankey3sDgKgOFsgnu40TlL36mGPYszeK+/2o3SAx2GM+3BdU= +ENTRY_END + +; response to DNSKEY priming query +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example.test. IN DNSKEY +SECTION ANSWER +example.test. 3600 IN DNSKEY 257 3 8 AwEAAdug/L739i0mgN2nuK/bhxu3wFn5Ud9nK2+XUmZQlPUEZUC5YZvm1rfMmEWTGBn87fFxEu/kjFZHJ55JLzqsbbpVHLbmKCTT2gYR2FV2WDKROGKuYbVkJIXdKAjJ0ONuK507NinYvlWXIoxHn22KAWOd9wKgSTNHBlmGkX+ts3hh ;{id = 55567 (ksk), size = 1024b} +example.test. 3600 IN RRSIG DNSKEY 8 2 3600 20201116135527 20201019135527 55567 example.test. IbWMC6quOuZFNPAVxQLqCJ9nLhindBo826rnLcg5yMgs9dGUSPOCXAfHTmbgJAUNs9HTFfrJWNvasnETs0UOpmEuifGwWdH1OlME7Gny4RL2QmITUFeMW81Jz1tiVQxFXl6yxT0jxOxvz+bqMHlrz+8IeWQXcO+GZTPu8ueq30g= +ENTRY_END + +; response to query of interest +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +a.d.example.test. IN A +SECTION ANSWER +d.example.test. 3600 IN DNAME tgt.example.test. +d.example.test. 3600 IN RRSIG DNAME 8 3 3600 20201116135527 20201019135527 55567 example.test. EGpXUnJuzkETAO2OWyZDrTeInnyxF7CXPXGDfFt2x3CBUeckUUZcgQQ3yMh+BATKph2nOhBfk8klvZ35C9sQO7Z32REAnqGjpHiR86xRPYxG62Nk9kXv1Odeh/adz2QhB93N8U7W57FM0P/VQDkP0GQXTSRGTuj+7ihfYVd4HWI= +; with CNAME signature +a.d.example.test. 3600 IN CNAME a.tgt.example.test. +a.d.example.test. 3600 IN RRSIG CNAME 8 4 3600 20201116135527 20201019135527 55567 example.test. efnytLE7P95kLr/tA9H0Z77VTOUQk24ci2bDgdVe8EuodTXtgg5PVHVLljD3QQ1Cpyme50odH/fhn2j1ORQpJTMk24Un/VRhVNquf+kj1nawJ59J0hjag4i0FIwZEG3/P7ogTB3Yd2y0Osb42Aawp48KvtVkUeBukk/GSutaTVQ= +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +a.tgt.example.test. IN A +SECTION ANSWER +a.tgt.example.test. 3600 IN CNAME b.d.example.test. +a.tgt.example.test. 3600 IN RRSIG CNAME 8 4 3600 20201116135527 20201019135527 55567 example.test. XHYWSHIm9J8j8T1qMh1tHZS71UguXYUVescKPFtoGHRuyRhHNob+NAqdn3I4/+8HSSGrJDqhTX/Vo3rcc3/g5HOHScwzZByB/diyJWpG9IA7pm7c7FnHnHpGBVdHq9wXlkgCPiaJShpE1zg1nNy3p99ca9/wh4y9XWSfcl0L8aw= +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +b.d.example.test. IN A +SECTION ANSWER +; This answer is injected +; Without an RRSIG. +b.d.example.test. 3600 IN CNAME www.fox.test. +ENTRY_END +RANGE_END + +; ns.fox.test. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.6 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.fox.test. IN AAAA +SECTION AUTHORITY +fox.test. 3600 IN SOA ns.fox.test. host.fox.test. 20601 3600 1800 604800 3600 +fox.test. 3600 IN RRSIG SOA 8 2 3600 20201116135527 20201019135527 29332 fox.test. QScf+vyis5/Km03ALuLQDfUDagA9/UG/oIQw6LnvmsVoqJSNXa3LIObWT9zfWgdJT0qFayWR4K9hnd9rT1enuVmXX8k47s7AjPZmE0qQxms5xz7jOhj/XLFplXOE9/GkgvAZKPb42qkU3Xf6Bevxzfy4/qW7+yXflWsjLV1vAhz38M4ESeWp0MDme8+DND0f7aoprGcC5saAPfa35nQhHS40q4IwiUDBBk1uwhCBF9ZGsjRfXmECOxIc1/0hBOv+Hhwog4K5b8rdl7LA2VggNiVOUuLFpXEH0XxknEspbQwWppP4TWC1H2QYGaKCc2Hu7NBhM/Ly7caGK+2u1MZvsg== +ns.fox.test. 3600 IN NSEC nz.fox.test. A RRSIG +ns.fox.test. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 29332 fox.test. RQjV2PHbBVdGhvSRl0lutzoIZ9KezBAAwvI5sQoIGLdlMeQxj/BOy16auYRLTxvB9xehkrTTeL5xYUwcbi4uFS/kr3IUmlVXeldHOk4T42huV9MGfWzguUsB2jjsrcdt11qEnLo27SVVcvQReswwfpOPRPHg52fS6vt50AIWwttLOLvZEGiGIjRGb4lBaCnoO6YYzOnwcRCV0UScTjlPxS1SBEKsdbPvzfUUyp+wOVnIVAXrd0xEChB7QrTIrcBt4mutXVUNBDcfkZCXgEwu3scWQQS8rNO6O3PvpLgs6PIHX191WjovkJ9/PL+8MO/7UUatSWhZUwuQBUq6VofCYw== +ENTRY_END + +; response to DNSKEY priming query +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +fox.test. IN DNSKEY +SECTION ANSWER +fox.test. IN DNSKEY 257 3 8 AwEAAb4WMOTBLTFvmBra5m6SK4VfViOzmvyUAU0qv861ZQXeEFvwlndqNU9rwRsMxrSWAYs5nHErKDn49usC/HyxxW1477iGFHhfgL4mjNreJm9zft2QFB1VLbRbEPYdDMLCn4co0qnG7/KG8W2i8Pym1L7f+aREwbLo+/716AS2PbaKMhfWLKLiq5wnBcUClQMNzCiwhqxDJp1oePqfkVdeUgXOtgi0dYRIKyQFhJ5VWJ22npoi/Gif0XLCADAlAwRLKc8o/yJkCxskzgpHpw5Cki1lclg0aq4ssOuPRQ+ne6IHYCz9D2mwzulblhLFamKdq7aHzNt4NlyxhpANVFiKLD8= ;{id = 29332 (ksk), size = 2048b} +fox.test. 3600 IN RRSIG DNSKEY 8 2 3600 20201116135527 20201019135527 29332 fox.test. bTslCQKai9U9EWkBPnMiO+Rb34qMAZSzfgEb68x+ZKi2DDyzK7v8TCX8unTlqeQCnTqqgJ7cCUcqrbSV3ip9WGNe5fUy5j9hxH04ddLcDhygnjLi4C7iQX67ratRGu1JM3Evk/gVF76a5J2RSQk340jOFHC0nnjWOMHlDDxBeK4Zr6lYvAMJB2uy08xbi1FuGUSPcrbRFnVb74QMAPLS9Uj5JM8lMsOMtrhHX9zBN8Euo4M1X0sinBdJse3P/fIZ+ZvSnOEpVvur3bcUl+bqFJ18nM/Mj/e3XW3WBWE1dI6p6HdAXLrJyjJINzm+YnNzj11tzu/e4BQCjOutY9XkKA== +ENTRY_END + +; response to query of interest +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +www.fox.test. IN A +SECTION ANSWER +www.fox.test. 3600 IN A 10.20.30.43 +www.fox.test. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 29332 fox.test. ehPLws7Jnlx5Trm7Z8Hxr0WkLdkxyif+E1aGzFMib4eP0nvLV89WOQ2Fpm1xT/VaNJBXjXhWPB0Oo/gAKVs1znqmyjutFdXi2+9rXnK73jD2+rWBGW/sgBl/9cr458j7441nEK18Mq4SserQcLBqM38IivTlK1J5uXUpEPKMCSA82waf0Z+LUk8czFqeYy+KlJSsiu33mrVWrjyNLIXCbZ2dxfdaVSKyAoQafiokp1NGnw3onQkXXOPqJ7GRsN8Ml4c2nOrEYIG6otoZXXjtkoNCOHzBBkPVEP82JjzQchq0fDWQ2UHOXXZYBG/B6m5PuOXmgKJVDKZ/iVNQofPp8w== +ENTRY_END +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +a.d.example.test. IN A +ENTRY_END + +STEP 10 TRAFFIC +; The unsigned CNAME should make SERVFAIL. + +STEP 20 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA DO SERVFAIL +SECTION QUESTION +a.d.example.test. IN A +SECTION ANSWER +ENTRY_END + +SCENARIO_END diff --git a/validator/val_utils.c b/validator/val_utils.c index 1a5f19673..411a63b25 100644 --- a/validator/val_utils.c +++ b/validator/val_utils.c @@ -1334,3 +1334,26 @@ val_find_DS(struct module_env* env, uint8_t* nm, size_t nmlen, uint16_t c, env->scratch_buffer, *env->now, 0, topname, env->cfg); return msg; } + +int derive_cname_from_dname(struct ub_packed_rrset_key* cname, + struct ub_packed_rrset_key* dname, uint8_t* out, size_t outlen) +{ + size_t prefix_len; + uint8_t* dname_target = NULL; + size_t dname_target_len = 0; + if(!dname_strict_subdomain_c(cname->rk.dname, dname->rk.dname)) + return 0; /* Invalid: CNAME owner must be subdomain */ + get_cname_target(dname, &dname_target, &dname_target_len); + if(!dname_target || !dname_target_len) + return 0; /* DNAME malformed */ + if(cname->rk.dname_len < dname->rk.dname_len) + return 0; /* Not possible, due to subdomain, but check */ + if(cname->rk.dname_len == 0) + return 0; /* Not possible, but check */ + prefix_len = cname->rk.dname_len - dname->rk.dname_len; + if(prefix_len + dname_target_len > outlen) + return 0; /* Buffer too small */ + memmove(out, cname->rk.dname, prefix_len); + memmove(out+prefix_len, dname_target, dname_target_len); + return 1; +} diff --git a/validator/val_utils.h b/validator/val_utils.h index 4fe38c1bb..a584deea4 100644 --- a/validator/val_utils.h +++ b/validator/val_utils.h @@ -427,4 +427,15 @@ int val_favorite_ds_algo(struct ub_packed_rrset_key* ds_rrset); struct dns_msg* val_find_DS(struct module_env* env, uint8_t* nm, size_t nmlen, uint16_t c, struct regional* region, uint8_t* topname); +/** + * Derive expected CNAME target from DNAME substitution per RFC 6672 s3.1 + * @param cname: CNAME RRset, (e.g., b.d.a005.test CNAME ) + * @param dname: DNAME RRset, (e.g., d.a005.test DNAME tgt.a005.test) + * @param out: Output buffer for expected CNAME target + * @param outlen: Output buffer size + * @return: 1 on success, 0 on error + */ +int derive_cname_from_dname(struct ub_packed_rrset_key* cname, + struct ub_packed_rrset_key* dname, uint8_t* out, size_t outlen); + #endif /* VALIDATOR_VAL_UTILS_H */ diff --git a/validator/validator.c b/validator/validator.c index d6f57bcc9..b3d55f075 100644 --- a/validator/validator.c +++ b/validator/validator.c @@ -710,6 +710,37 @@ validate_msg_signatures(struct module_qstate* qstate, struct val_qstate* vq, ((struct packed_rrset_data*)chase_reply->rrsets[i-1]->entry.data)->security == sec_status_secure && dname_strict_subdomain_c(s->rk.dname, chase_reply->rrsets[i-1]->rk.dname) ) { + /* Check that the CNAME target matches the DNAME + * derivation. Zone changes during the redirection + * lookups or looped DNAMEs can have such a CNAME. */ + uint8_t expected_target[LDNS_MAX_DOMAINLEN]; + uint8_t* cname_target = NULL; + size_t cname_target_len = 0; + get_cname_target(s, &cname_target, &cname_target_len); + if(!cname_target || + !derive_cname_from_dname(s, /* CNAME RRset */ + chase_reply->rrsets[i-1], /* DNAME RRset */ + expected_target, /* Output buffer */ + sizeof(expected_target))) { + verbose(VERB_ALGO, "DNAME CNAME derivation failed"); + errinf_ede(qstate, "DNAME CNAME derivation failed", reason_bogus); + errinf_origin(qstate, qstate->reply_origin); + chase_reply->security = sec_status_bogus; + update_reason_bogus(chase_reply, reason_bogus); + return 0; + } + if(query_dname_compare(cname_target, expected_target) != 0) { + verbose(VERB_ALGO, "CNAME target mismatch: not synthesized from DNAME"); + errinf_ede(qstate, "CNAME target mismatch: not synthesized from DNAME", reason_bogus); + errinf_dname(qstate, ", for", s->rk.dname); + errinf_dname(qstate, "CNAME", cname_target); + errinf(qstate, ","); + errinf_origin(qstate, qstate->reply_origin); + chase_reply->security = sec_status_bogus; + update_reason_bogus(chase_reply, reason_bogus); + return 0; + } + /* CNAME was synthesized by our own iterator */ /* since the DNAME verified, mark the CNAME as secure */ ((struct packed_rrset_data*)s->entry.data)->security =