mirror of
https://github.com/NLnetLabs/unbound.git
synced 2024-09-21 14:47:09 +00:00
Remove overreaching NSEC rrsets.
git-svn-id: file:///svn/unbound/trunk@1207 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
parent
fcbc34bd7f
commit
82ce090a35
@ -1,3 +1,9 @@
|
|||||||
|
26 August 2008: Wouter
|
||||||
|
- test for insecure zone when DLV is in use, also does negative cache.
|
||||||
|
- test for trustanchor when DLV is in use (the anchor works).
|
||||||
|
- test for DLV used for a zone below a trustanchor.
|
||||||
|
- added scrub filter for overreaching NSEC records and unit test.
|
||||||
|
|
||||||
25 August 2008: Wouter
|
25 August 2008: Wouter
|
||||||
- realclean patch from Robert Edmonds.
|
- realclean patch from Robert Edmonds.
|
||||||
|
|
||||||
|
@ -518,6 +518,35 @@ store_rrset(ldns_buffer* pkt, struct msg_parse* msg, struct module_env* env,
|
|||||||
env->alloc, now);
|
env->alloc, now);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Check if right hand name in NSEC is within zone
|
||||||
|
* @param rrset: the NSEC rrset
|
||||||
|
* @param zonename: the zone name.
|
||||||
|
* @return true if BAD.
|
||||||
|
*/
|
||||||
|
static int sanitize_nsec_is_overreach(struct rrset_parse* rrset,
|
||||||
|
uint8_t* zonename)
|
||||||
|
{
|
||||||
|
struct rr_parse* rr;
|
||||||
|
uint8_t* rhs;
|
||||||
|
size_t len;
|
||||||
|
log_assert(rrset->type == LDNS_RR_TYPE_NSEC);
|
||||||
|
for(rr = rrset->rr_first; rr; rr = rr->next) {
|
||||||
|
rhs = rr->ttl_data+4+2;
|
||||||
|
len = ldns_read_uint16(rr->ttl_data+4);
|
||||||
|
if(!(len=dname_valid(rhs, len))) {
|
||||||
|
/* malformed domain name in rdata */
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
if(!dname_subdomain_c(rhs, zonename)) {
|
||||||
|
/* overreaching */
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
/* all NSEC RRs OK */
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Given a response event, remove suspect RRsets from the response.
|
* Given a response event, remove suspect RRsets from the response.
|
||||||
* "Suspect" rrsets are potentially poison. Note that this routine expects
|
* "Suspect" rrsets are potentially poison. Note that this routine expects
|
||||||
@ -608,6 +637,13 @@ scrub_sanitize(ldns_buffer* pkt, struct msg_parse* msg,
|
|||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
/* check if right hand side of NSEC is within zone */
|
||||||
|
if(rrset->type == LDNS_RR_TYPE_NSEC &&
|
||||||
|
sanitize_nsec_is_overreach(rrset, zonename)) {
|
||||||
|
remove_rrset("sanitize: removing overreaching NSEC "
|
||||||
|
"RRset:", pkt, msg, prev, &rrset);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
prev = rrset;
|
prev = rrset;
|
||||||
rrset = rrset->rrset_all_next;
|
rrset = rrset->rrset_all_next;
|
||||||
}
|
}
|
||||||
|
146
testdata/val_nx_overreach.rpl
vendored
Normal file
146
testdata/val_nx_overreach.rpl
vendored
Normal file
@ -0,0 +1,146 @@
|
|||||||
|
; config options
|
||||||
|
; The island of trust is at example.com
|
||||||
|
server:
|
||||||
|
trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
|
||||||
|
val-override-date: "20070916134226"
|
||||||
|
|
||||||
|
stub-zone:
|
||||||
|
name: "."
|
||||||
|
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
|
||||||
|
CONFIG_END
|
||||||
|
|
||||||
|
SCENARIO_BEGIN Test validator with overreaching NSEC record
|
||||||
|
|
||||||
|
; K.ROOT-SERVERS.NET.
|
||||||
|
RANGE_BEGIN 0 100
|
||||||
|
ADDRESS 193.0.14.129
|
||||||
|
ENTRY_BEGIN
|
||||||
|
MATCH opcode qtype qname
|
||||||
|
ADJUST copy_id
|
||||||
|
REPLY QR NOERROR
|
||||||
|
SECTION QUESTION
|
||||||
|
. IN NS
|
||||||
|
SECTION ANSWER
|
||||||
|
. IN NS K.ROOT-SERVERS.NET.
|
||||||
|
SECTION ADDITIONAL
|
||||||
|
K.ROOT-SERVERS.NET. IN A 193.0.14.129
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
ENTRY_BEGIN
|
||||||
|
MATCH opcode qtype qname
|
||||||
|
ADJUST copy_id
|
||||||
|
REPLY QR NOERROR
|
||||||
|
SECTION QUESTION
|
||||||
|
www.example.com. IN A
|
||||||
|
SECTION AUTHORITY
|
||||||
|
com. IN NS a.gtld-servers.net.
|
||||||
|
SECTION ADDITIONAL
|
||||||
|
a.gtld-servers.net. IN A 192.5.6.30
|
||||||
|
ENTRY_END
|
||||||
|
RANGE_END
|
||||||
|
|
||||||
|
; a.gtld-servers.net.
|
||||||
|
RANGE_BEGIN 0 100
|
||||||
|
ADDRESS 192.5.6.30
|
||||||
|
ENTRY_BEGIN
|
||||||
|
MATCH opcode qtype qname
|
||||||
|
ADJUST copy_id
|
||||||
|
REPLY QR NOERROR
|
||||||
|
SECTION QUESTION
|
||||||
|
com. IN NS
|
||||||
|
SECTION ANSWER
|
||||||
|
com. IN NS a.gtld-servers.net.
|
||||||
|
SECTION ADDITIONAL
|
||||||
|
a.gtld-servers.net. IN A 192.5.6.30
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
ENTRY_BEGIN
|
||||||
|
MATCH opcode qtype qname
|
||||||
|
ADJUST copy_id
|
||||||
|
REPLY QR NOERROR
|
||||||
|
SECTION QUESTION
|
||||||
|
www.example.com. IN A
|
||||||
|
SECTION AUTHORITY
|
||||||
|
example.com. IN NS ns.example.com.
|
||||||
|
SECTION ADDITIONAL
|
||||||
|
ns.example.com. IN A 1.2.3.4
|
||||||
|
ENTRY_END
|
||||||
|
RANGE_END
|
||||||
|
|
||||||
|
; ns.example.com.
|
||||||
|
RANGE_BEGIN 0 100
|
||||||
|
ADDRESS 1.2.3.4
|
||||||
|
ENTRY_BEGIN
|
||||||
|
MATCH opcode qtype qname
|
||||||
|
ADJUST copy_id
|
||||||
|
REPLY QR NOERROR
|
||||||
|
SECTION QUESTION
|
||||||
|
example.com. IN NS
|
||||||
|
SECTION ANSWER
|
||||||
|
example.com. IN NS ns.example.com.
|
||||||
|
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
|
||||||
|
SECTION ADDITIONAL
|
||||||
|
ns.example.com. IN A 1.2.3.4
|
||||||
|
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
; response to DNSKEY priming query
|
||||||
|
ENTRY_BEGIN
|
||||||
|
MATCH opcode qtype qname
|
||||||
|
ADJUST copy_id
|
||||||
|
REPLY QR NOERROR
|
||||||
|
SECTION QUESTION
|
||||||
|
example.com. IN DNSKEY
|
||||||
|
SECTION ANSWER
|
||||||
|
example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
|
||||||
|
example.com. 3600 IN RRSIG DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
|
||||||
|
SECTION AUTHORITY
|
||||||
|
example.com. IN NS ns.example.com.
|
||||||
|
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
|
||||||
|
SECTION ADDITIONAL
|
||||||
|
ns.example.com. IN A 1.2.3.4
|
||||||
|
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
; response to query of interest
|
||||||
|
ENTRY_BEGIN
|
||||||
|
MATCH opcode qtype qname
|
||||||
|
ADJUST copy_id
|
||||||
|
REPLY QR NXDOMAIN
|
||||||
|
SECTION QUESTION
|
||||||
|
www.example.com. IN A
|
||||||
|
SECTION ANSWER
|
||||||
|
SECTION AUTHORITY
|
||||||
|
example.com. IN SOA ns.example.com. hostmaster.example.com. 2007090400 28800 7200 604800 18000
|
||||||
|
example.com. 3600 IN RRSIG SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFCNGZ+/OfElYQMCZ77O9Lw9rhk7PAhUAmDcvTAst6Bq83qPq3r6c/Dm1nFc= ;{id = 2854}
|
||||||
|
; wildcard denial
|
||||||
|
example.com. IN NSEC abc.example.com. SOA NS DNSKEY NSEC RRSIG
|
||||||
|
example.com. 3600 IN RRSIG NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFHV2IBWyTmDJvZ+sT+WsGrJX0op/AhQkAijjnjPAtx/tNub2FAGqcexJSg== ;{id = 2854}
|
||||||
|
; qname denial
|
||||||
|
; The overreaching NSEC record; it tries to deny other .com zones!
|
||||||
|
wab.example.com. IN NSEC wzz.foo.com. A NSEC RRSIG
|
||||||
|
wab.example.com. 3600 IN RRSIG NSEC 3 3 3600 20070926134150 20070829134150 2854 example.com. AEimIB2N5u7AQOb5IBMnckASZ4MlhBxziJy+zVUjLov/s7q85j8eWQc= ;{id = 2854}
|
||||||
|
SECTION ADDITIONAL
|
||||||
|
ENTRY_END
|
||||||
|
RANGE_END
|
||||||
|
|
||||||
|
STEP 1 QUERY
|
||||||
|
ENTRY_BEGIN
|
||||||
|
REPLY RD DO
|
||||||
|
SECTION QUESTION
|
||||||
|
www.example.com. IN A
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
; recursion happens here.
|
||||||
|
STEP 10 CHECK_ANSWER
|
||||||
|
ENTRY_BEGIN
|
||||||
|
MATCH all
|
||||||
|
REPLY QR RD RA SERVFAIL
|
||||||
|
SECTION QUESTION
|
||||||
|
www.example.com. IN A
|
||||||
|
SECTION ANSWER
|
||||||
|
SECTION AUTHORITY
|
||||||
|
SECTION ADDITIONAL
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
SCENARIO_END
|
Loading…
Reference in New Issue
Block a user