mirror of
https://github.com/NLnetLabs/unbound.git
synced 2024-09-21 06:37:08 +00:00
A little more strict DS scrubbing.
git-svn-id: file:///svn/unbound/trunk@1986 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
parent
36ccd87840
commit
38c6664caf
@ -1,3 +1,6 @@
|
||||
18 February 2010: Wouter
|
||||
- A little more strict DS scrubbing.
|
||||
|
||||
17 February 2010: Wouter
|
||||
- Disregard DNSKEY from authority section for chain of trust.
|
||||
DS records that are irrelevant to a referral scrubbed. Anti-poison.
|
||||
|
@ -757,20 +757,22 @@ iter_get_next_root(struct iter_hints* hints, struct iter_forwards* fwd,
|
||||
}
|
||||
|
||||
void
|
||||
iter_scrub_ds(struct ub_packed_rrset_key* ns, struct dns_msg* msg)
|
||||
iter_scrub_ds(struct dns_msg* msg, struct ub_packed_rrset_key* ns, uint8_t* z)
|
||||
{
|
||||
/* Only the DS record for the delegation itself is expected.
|
||||
* We allow DS for everything between the bailiwick and the
|
||||
* zonecut, thus DS records must be at or above the zonecut.
|
||||
* And the DS records must be below the server authority zone.
|
||||
* The answer section is already scrubbed. */
|
||||
size_t i = msg->rep->an_numrrsets;
|
||||
while(i < (msg->rep->an_numrrsets + msg->rep->ns_numrrsets)) {
|
||||
struct ub_packed_rrset_key* s = msg->rep->rrsets[i];
|
||||
if(ntohs(s->rk.type) == LDNS_RR_TYPE_DS &&
|
||||
!dname_subdomain_c(ns->rk.dname, s->rk.dname)) {
|
||||
log_nametypeclass(VERB_ALGO, "removing irrelevant DS "
|
||||
"from referral", s->rk.dname,
|
||||
ntohs(s->rk.type), ntohs(s->rk.rrset_class));
|
||||
(!ns || !dname_subdomain_c(ns->rk.dname, s->rk.dname)
|
||||
|| query_dname_compare(z, s->rk.dname) == 0)) {
|
||||
log_nametypeclass(VERB_ALGO, "removing irrelevant DS",
|
||||
s->rk.dname, ntohs(s->rk.type),
|
||||
ntohs(s->rk.rrset_class));
|
||||
memmove(msg->rep->rrsets+i, msg->rep->rrsets+i+1,
|
||||
sizeof(struct ub_packed_rrset_key*) *
|
||||
(msg->rep->rrset_count-i-1));
|
||||
|
@ -248,9 +248,12 @@ int iter_get_next_root(struct iter_hints* hints, struct iter_forwards* fwd,
|
||||
|
||||
/**
|
||||
* Remove DS records that are inappropriate before they are cached.
|
||||
* @param ns: RRSET that is the NS record for the referral.
|
||||
* @param msg: the response to scrub.
|
||||
* @param ns: RRSET that is the NS record for the referral.
|
||||
* if NULL, then all DS records are removed from the authority section.
|
||||
* @param z: zone name that the response is from.
|
||||
*/
|
||||
void iter_scrub_ds(struct ub_packed_rrset_key* ns, struct dns_msg* msg);
|
||||
void iter_scrub_ds(struct dns_msg* msg, struct ub_packed_rrset_key* ns,
|
||||
uint8_t* z);
|
||||
|
||||
#endif /* ITERATOR_ITER_UTILS_H */
|
||||
|
@ -1613,8 +1613,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
verbose(VERB_ALGO, "bad referral, throwaway");
|
||||
type = RESPONSE_TYPE_THROWAWAY;
|
||||
} else
|
||||
iter_scrub_ds(ns, iq->response);
|
||||
}
|
||||
iter_scrub_ds(iq->response, ns, iq->dp->name);
|
||||
} else iter_scrub_ds(iq->response, NULL, NULL);
|
||||
|
||||
/* handle each of the type cases */
|
||||
if(type == RESPONSE_TYPE_ANSWER) {
|
||||
|
Loading…
Reference in New Issue
Block a user