mirror of
https://github.com/NLnetLabs/unbound.git
synced 2024-09-21 06:37:08 +00:00
- Fix to limit NSEC and NSEC3 TTL when aggressive nsec is
enabled (RFC9077).
This commit is contained in:
parent
d3fdbba877
commit
24e0f0ab7e
@ -1,3 +1,7 @@
|
|||||||
|
10 September 2024: Wouter
|
||||||
|
- Fix to limit NSEC and NSEC3 TTL when aggressive nsec is
|
||||||
|
enabled (RFC9077).
|
||||||
|
|
||||||
6 September 2024: Yorgos
|
6 September 2024: Yorgos
|
||||||
- Fix alloc-size and calloc-transposed-args compiler warnings.
|
- Fix alloc-size and calloc-transposed-args compiler warnings.
|
||||||
- Fix comment to not trigger doxygen unknown command.
|
- Fix comment to not trigger doxygen unknown command.
|
||||||
|
@ -367,6 +367,48 @@ error_response_cache(struct module_qstate* qstate, int id, int rcode)
|
|||||||
return error_response(qstate, id, rcode);
|
return error_response(qstate, id, rcode);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/** limit NSEC and NSEC3 TTL in response, RFC9077 */
|
||||||
|
static void
|
||||||
|
limit_nsec_ttl(struct dns_msg* msg)
|
||||||
|
{
|
||||||
|
size_t i;
|
||||||
|
int found = 0;
|
||||||
|
time_t soa_ttl = 0;
|
||||||
|
/* Limit the NSEC and NSEC3 TTL values to the SOA TTL and SOA minimum
|
||||||
|
* TTL. That has already been applied to the SOA record ttl. */
|
||||||
|
for(i=0; i<msg->rep->rrset_count; i++) {
|
||||||
|
struct ub_packed_rrset_key* s = msg->rep->rrsets[i];
|
||||||
|
if(ntohs(s->rk.type) == LDNS_RR_TYPE_SOA) {
|
||||||
|
struct packed_rrset_data* soadata = (struct packed_rrset_data*)s->entry.data;
|
||||||
|
found = 1;
|
||||||
|
soa_ttl = soadata->ttl;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if(!found)
|
||||||
|
return;
|
||||||
|
for(i=0; i<msg->rep->rrset_count; i++) {
|
||||||
|
struct ub_packed_rrset_key* s = msg->rep->rrsets[i];
|
||||||
|
if(ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC ||
|
||||||
|
ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC3) {
|
||||||
|
struct packed_rrset_data* data = (struct packed_rrset_data*)s->entry.data;
|
||||||
|
/* Limit the negative TTL. */
|
||||||
|
if(data->ttl > soa_ttl) {
|
||||||
|
if(verbosity >= VERB_ALGO) {
|
||||||
|
char buf[256];
|
||||||
|
snprintf(buf, sizeof(buf),
|
||||||
|
"limiting TTL %d of %s record to the SOA TTL of %d for",
|
||||||
|
(int)data->ttl, ((ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC)?"NSEC":"NSEC3"), (int)soa_ttl);
|
||||||
|
log_nametypeclass(VERB_ALGO, buf,
|
||||||
|
s->rk.dname, ntohs(s->rk.type),
|
||||||
|
ntohs(s->rk.rrset_class));
|
||||||
|
}
|
||||||
|
data->ttl = soa_ttl;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/** check if prepend item is duplicate item */
|
/** check if prepend item is duplicate item */
|
||||||
static int
|
static int
|
||||||
prepend_is_duplicate(struct ub_packed_rrset_key** sets, size_t to,
|
prepend_is_duplicate(struct ub_packed_rrset_key** sets, size_t to,
|
||||||
@ -4366,7 +4408,10 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
|
|||||||
if(verbosity >= VERB_ALGO)
|
if(verbosity >= VERB_ALGO)
|
||||||
log_dns_msg("incoming scrubbed packet:", &iq->response->qinfo,
|
log_dns_msg("incoming scrubbed packet:", &iq->response->qinfo,
|
||||||
iq->response->rep);
|
iq->response->rep);
|
||||||
|
|
||||||
|
if(qstate->env->cfg->aggressive_nsec) {
|
||||||
|
limit_nsec_ttl(iq->response);
|
||||||
|
}
|
||||||
if(event == module_event_capsfail || iq->caps_fallback) {
|
if(event == module_event_capsfail || iq->caps_fallback) {
|
||||||
if(qstate->env->cfg->qname_minimisation &&
|
if(qstate->env->cfg->qname_minimisation &&
|
||||||
iq->minimisation_state != DONOT_MINIMISE_STATE) {
|
iq->minimisation_state != DONOT_MINIMISE_STATE) {
|
||||||
|
Loading…
Reference in New Issue
Block a user