From f12b7a8dd9072cf2ba225eac46a4da8bffb8fc12 Mon Sep 17 00:00:00 2001 From: Wouter Wijngaards Date: Mon, 26 Apr 2010 13:40:37 +0000 Subject: [PATCH] - More strict scrubber (Thanks to George Barwood for the idea): NS set must be pertinent to the query (qname subdomain nsname). git-svn-id: file:///svn/unbound/trunk@2096 be551aaa-1e26-0410-a405-d3ace91eadb9 --- doc/Changelog | 2 + iterator/iter_scrub.c | 6 ++ testdata/iter_scrub_ns_side.rpl | 103 ++++++++++++++++++++++++++++++++ 3 files changed, 111 insertions(+) create mode 100644 testdata/iter_scrub_ns_side.rpl diff --git a/doc/Changelog b/doc/Changelog index 9f535452b..72ccc508c 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -5,6 +5,8 @@ it from the event.h header file and link with -lev. - configlexer.lex gets config.h, and configyyrename.h added by make, no more double include. + - More strict scrubber (Thanks to George Barwood for the idea): + NS set must be pertinent to the query (qname subdomain nsname). 23 April 2010: Wouter - Squelch log message: sendto failed permission denied for diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c index f9a88f2b2..4866793d4 100644 --- a/iterator/iter_scrub.c +++ b/iterator/iter_scrub.c @@ -446,6 +446,12 @@ scrub_normalize(ldns_buffer* pkt, struct msg_parse* msg, } /* only one NS set allowed in authority section */ if(rrset->type==LDNS_RR_TYPE_NS) { + /* NS set must be pertinent to the query */ + if(!sub_of_pkt(pkt, qinfo->qname, rrset->dname)) { + remove_rrset("normalize: removing irrelevant " + "RRset:", pkt, msg, prev, &rrset); + continue; + } if(nsset == NULL) { nsset = rrset; } else { diff --git a/testdata/iter_scrub_ns_side.rpl b/testdata/iter_scrub_ns_side.rpl new file mode 100644 index 000000000..98d00fd92 --- /dev/null +++ b/testdata/iter_scrub_ns_side.rpl @@ -0,0 +1,103 @@ +; config options +server: + target-fetch-policy: "0 0 0 0 0" + +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. + +stub-zone: + name: "example.com" + stub-addr: 1.2.3.4 +CONFIG_END + +SCENARIO_BEGIN Test scrubber to scrub NS record to the side of the query + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. IN A 193.0.14.129 +ENTRY_END +RANGE_END + +; ns.example.com. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +; must be scrubbed +www.burritolovers.com. IN A 10.20.30.40 +SECTION AUTHORITY +example1234.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +mail.example.com. IN A +SECTION ANSWER +SECTION AUTHORITY +; not pertinent to the query +www.example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +; recursion happens here. +STEP 10 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +ENTRY_END + +STEP 20 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +mail.example.com. IN A +ENTRY_END + +STEP 30 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +mail.example.com. IN A +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +ENTRY_END + +SCENARIO_END