clones/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2024-09-21 06:37:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

- Fix to limit NSEC and NSEC3 TTL when aggressive nsec is

Browse Source 
enabled (RFC9077).
This commit is contained in:
W.C.A. Wijngaards 2024-09-10 10:13:48 +02:00
parent d3fdbba877
commit 24e0f0ab7e
2 changed files with 50 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
doc/Changelog
View File

@ -1,3 +1,7 @@
10 September 2024: Wouter
- Fix to limit NSEC and NSEC3 TTL when aggressive nsec is
enabled (RFC9077).
6 September 2024: Yorgos 6 September 2024: Yorgos
- Fix alloc-size and calloc-transposed-args compiler warnings. - Fix alloc-size and calloc-transposed-args compiler warnings.
- Fix comment to not trigger doxygen unknown command. - Fix comment to not trigger doxygen unknown command.

45
iterator/iterator.c
View File

@ -367,6 +367,48 @@ error_response_cache(struct module_qstate* qstate, int id, int rcode)
return error_response(qstate, id, rcode); return error_response(qstate, id, rcode);
} }
/** limit NSEC and NSEC3 TTL in response, RFC9077 */
static void
limit_nsec_ttl(struct dns_msg* msg)
{
size_t i;
int found = 0;
time_t soa_ttl = 0;
/* Limit the NSEC and NSEC3 TTL values to the SOA TTL and SOA minimum
* TTL. That has already been applied to the SOA record ttl. */
for(i=0; i<msg->rep->rrset_count; i++) {
struct ub_packed_rrset_key* s = msg->rep->rrsets[i];
if(ntohs(s->rk.type) == LDNS_RR_TYPE_SOA) {
struct packed_rrset_data* soadata = (struct packed_rrset_data*)s->entry.data;
found = 1;
soa_ttl = soadata->ttl;
break;
}
}
if(!found)
return;
for(i=0; i<msg->rep->rrset_count; i++) {
struct ub_packed_rrset_key* s = msg->rep->rrsets[i];
if(ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC ||
ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC3) {
struct packed_rrset_data* data = (struct packed_rrset_data*)s->entry.data;
/* Limit the negative TTL. */
if(data->ttl > soa_ttl) {
if(verbosity >= VERB_ALGO) {
char buf[256];
snprintf(buf, sizeof(buf),
"limiting TTL %d of %s record to the SOA TTL of %d for",
(int)data->ttl, ((ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC)?"NSEC":"NSEC3"), (int)soa_ttl);
log_nametypeclass(VERB_ALGO, buf,
s->rk.dname, ntohs(s->rk.type),
ntohs(s->rk.rrset_class));
}
data->ttl = soa_ttl;
}
}
}
}
/** check if prepend item is duplicate item */ /** check if prepend item is duplicate item */
static int static int
prepend_is_duplicate(struct ub_packed_rrset_key** sets, size_t to, prepend_is_duplicate(struct ub_packed_rrset_key** sets, size_t to,
@ -4367,6 +4409,9 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
log_dns_msg("incoming scrubbed packet:", &iq->response->qinfo, log_dns_msg("incoming scrubbed packet:", &iq->response->qinfo,
iq->response->rep); iq->response->rep);
if(qstate->env->cfg->aggressive_nsec) {
limit_nsec_ttl(iq->response);
}
if(event == module_event_capsfail || iq->caps_fallback) { if(event == module_event_capsfail || iq->caps_fallback) {
if(qstate->env->cfg->qname_minimisation && if(qstate->env->cfg->qname_minimisation &&
iq->minimisation_state != DONOT_MINIMISE_STATE) { iq->minimisation_state != DONOT_MINIMISE_STATE) {