clones/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2024-09-21 06:37:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

A little more strict DS scrubbing.

Browse Source 
git-svn-id: file:///svn/unbound/trunk@1986 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
Wouter Wijngaards 2010-02-18 09:47:08 +00:00
parent 36ccd87840
commit 38c6664caf
4 changed files with 17 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
doc/Changelog
View File

@ -1,3 +1,6 @@
18 February 2010: Wouter
- A little more strict DS scrubbing.
17 February 2010: Wouter
- Disregard DNSKEY from authority section for chain of trust.
DS records that are irrelevant to a referral scrubbed. Anti-poison.

12
iterator/iter_utils.c
View File

@ -757,20 +757,22 @@ iter_get_next_root(struct iter_hints* hints, struct iter_forwards* fwd,
}
void
iter_scrub_ds(struct ub_packed_rrset_key* ns, struct dns_msg* msg)
iter_scrub_ds(struct dns_msg* msg, struct ub_packed_rrset_key* ns, uint8_t* z)
{
/* Only the DS record for the delegation itself is expected.
* We allow DS for everything between the bailiwick and the
* zonecut, thus DS records must be at or above the zonecut.
* And the DS records must be below the server authority zone.
* The answer section is already scrubbed. */
size_t i = msg->rep->an_numrrsets;
while(i < (msg->rep->an_numrrsets + msg->rep->ns_numrrsets)) {
struct ub_packed_rrset_key* s = msg->rep->rrsets[i];
if(ntohs(s->rk.type) == LDNS_RR_TYPE_DS &&
!dname_subdomain_c(ns->rk.dname, s->rk.dname)) {
log_nametypeclass(VERB_ALGO, "removing irrelevant DS "
"from referral", s->rk.dname,
ntohs(s->rk.type), ntohs(s->rk.rrset_class));
(!ns || !dname_subdomain_c(ns->rk.dname, s->rk.dname)
|| query_dname_compare(z, s->rk.dname) == 0)) {
log_nametypeclass(VERB_ALGO, "removing irrelevant DS",
s->rk.dname, ntohs(s->rk.type),
ntohs(s->rk.rrset_class));
memmove(msg->rep->rrsets+i, msg->rep->rrsets+i+1,
sizeof(struct ub_packed_rrset_key*) *
(msg->rep->rrset_count-i-1));

7
iterator/iter_utils.h
View File

@ -248,9 +248,12 @@ int iter_get_next_root(struct iter_hints* hints, struct iter_forwards* fwd,
/**
* Remove DS records that are inappropriate before they are cached.
* @param ns: RRSET that is the NS record for the referral.
* @param msg: the response to scrub.
* @param ns: RRSET that is the NS record for the referral.
* if NULL, then all DS records are removed from the authority section.
* @param z: zone name that the response is from.
*/
void iter_scrub_ds(struct ub_packed_rrset_key* ns, struct dns_msg* msg);
void iter_scrub_ds(struct dns_msg* msg, struct ub_packed_rrset_key* ns,
uint8_t* z);
#endif /* ITERATOR_ITER_UTILS_H */

4
iterator/iterator.c
View File

@ -1613,8 +1613,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
verbose(VERB_ALGO, "bad referral, throwaway");
type = RESPONSE_TYPE_THROWAWAY;
} else
iter_scrub_ds(ns, iq->response);
}
iter_scrub_ds(iq->response, ns, iq->dp->name);
} else iter_scrub_ds(iq->response, NULL, NULL);
/* handle each of the type cases */
if(type == RESPONSE_TYPE_ANSWER) {