mirror of
https://github.com/NLnetLabs/unbound.git
synced 2024-09-21 06:37:08 +00:00
- Fix to limit NSEC and NSEC3 TTL when aggressive nsec is
enabled (RFC9077).
This commit is contained in:
parent
d3fdbba877
commit
24e0f0ab7e
@ -1,3 +1,7 @@
|
||||
10 September 2024: Wouter
|
||||
- Fix to limit NSEC and NSEC3 TTL when aggressive nsec is
|
||||
enabled (RFC9077).
|
||||
|
||||
6 September 2024: Yorgos
|
||||
- Fix alloc-size and calloc-transposed-args compiler warnings.
|
||||
- Fix comment to not trigger doxygen unknown command.
|
||||
|
@ -367,6 +367,48 @@ error_response_cache(struct module_qstate* qstate, int id, int rcode)
|
||||
return error_response(qstate, id, rcode);
|
||||
}
|
||||
|
||||
/** limit NSEC and NSEC3 TTL in response, RFC9077 */
|
||||
static void
|
||||
limit_nsec_ttl(struct dns_msg* msg)
|
||||
{
|
||||
size_t i;
|
||||
int found = 0;
|
||||
time_t soa_ttl = 0;
|
||||
/* Limit the NSEC and NSEC3 TTL values to the SOA TTL and SOA minimum
|
||||
* TTL. That has already been applied to the SOA record ttl. */
|
||||
for(i=0; i<msg->rep->rrset_count; i++) {
|
||||
struct ub_packed_rrset_key* s = msg->rep->rrsets[i];
|
||||
if(ntohs(s->rk.type) == LDNS_RR_TYPE_SOA) {
|
||||
struct packed_rrset_data* soadata = (struct packed_rrset_data*)s->entry.data;
|
||||
found = 1;
|
||||
soa_ttl = soadata->ttl;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if(!found)
|
||||
return;
|
||||
for(i=0; i<msg->rep->rrset_count; i++) {
|
||||
struct ub_packed_rrset_key* s = msg->rep->rrsets[i];
|
||||
if(ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC ||
|
||||
ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC3) {
|
||||
struct packed_rrset_data* data = (struct packed_rrset_data*)s->entry.data;
|
||||
/* Limit the negative TTL. */
|
||||
if(data->ttl > soa_ttl) {
|
||||
if(verbosity >= VERB_ALGO) {
|
||||
char buf[256];
|
||||
snprintf(buf, sizeof(buf),
|
||||
"limiting TTL %d of %s record to the SOA TTL of %d for",
|
||||
(int)data->ttl, ((ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC)?"NSEC":"NSEC3"), (int)soa_ttl);
|
||||
log_nametypeclass(VERB_ALGO, buf,
|
||||
s->rk.dname, ntohs(s->rk.type),
|
||||
ntohs(s->rk.rrset_class));
|
||||
}
|
||||
data->ttl = soa_ttl;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/** check if prepend item is duplicate item */
|
||||
static int
|
||||
prepend_is_duplicate(struct ub_packed_rrset_key** sets, size_t to,
|
||||
@ -4366,7 +4408,10 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
if(verbosity >= VERB_ALGO)
|
||||
log_dns_msg("incoming scrubbed packet:", &iq->response->qinfo,
|
||||
iq->response->rep);
|
||||
|
||||
|
||||
if(qstate->env->cfg->aggressive_nsec) {
|
||||
limit_nsec_ttl(iq->response);
|
||||
}
|
||||
if(event == module_event_capsfail || iq->caps_fallback) {
|
||||
if(qstate->env->cfg->qname_minimisation &&
|
||||
iq->minimisation_state != DONOT_MINIMISE_STATE) {
|
||||
|
Loading…
Reference in New Issue
Block a user