From: Ondřej Surý Date: Thu, 2 Jul 2026 08:05:30 +0000 (+0200) Subject: Reject an RRSIG that covers a signature type X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=9596a03d21b6702105aaf52b6893f56dc758bb60;p=thirdparty%2Fbind9.git Reject an RRSIG that covers a signature type An RRSIG whose Type-Covered field is RRSIG is not a meta-type, so it passed the message parser, and for an insecure domain the resolver cached it as a standalone signature. The QP cache pairs every RRSIG header with the non-signature header it covers and never expects the covered type to itself be a signature, so a signature covering a signature broke that invariant and aborted named on a crafted response. Reject the record in the parser, and tighten the cache precondition so a positive signature header must cover a non-signature type. --- diff --git a/lib/dns/message.c b/lib/dns/message.c index 424a11ff2d5..0f7e6733af5 100644 --- a/lib/dns/message.c +++ b/lib/dns/message.c @@ -1264,7 +1264,8 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t dctx, covers = dns_rdata_covers(rdata); /* A signature can only cover a real rdata type */ if (covers == dns_rdatatype_none || - dns_rdatatype_ismeta(covers)) + dns_rdatatype_ismeta(covers) || + dns_rdatatype_issig(covers)) { DO_ERROR(DNS_R_FORMERR); } diff --git a/lib/dns/qpcache.c b/lib/dns/qpcache.c index 2ced865b833..1a0d0f129d1 100644 --- a/lib/dns/qpcache.c +++ b/lib/dns/qpcache.c @@ -2283,8 +2283,12 @@ add(qpcache_t *qpdb, qpcnode_t *qpnode, dns_slabheader_t *newheader, REQUIRE(rdtype != dns_rdatatype_none); if (dns_rdatatype_issig(rdtype)) { - /* signature must be either negative or cover something */ - REQUIRE(NEGATIVE(newheader) || covers != dns_rdatatype_none); + /* + * signature must be either negative or cover something + * that's not a signature + */ + REQUIRE(NEGATIVE(newheader) || (covers != dns_rdatatype_none && + !dns_rdatatype_issig(covers))); } else { /* non-signature it must cover nothing */ REQUIRE(covers == dns_rdatatype_none);