clones/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2024-09-21 06:37:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

- Scrub NS records from NXDOMAIN responses to stop fragmentation

Browse Source 
poisoning of the cache.


git-svn-id: file:///svn/unbound/trunk@4961 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
Wouter Wijngaards 2018-11-20 09:44:40 +00:00
parent 069b0b8c90
commit f7e99131b9
4 changed files with 20 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
doc/Changelog
View File

@ -1,3 +1,7 @@
20 November 2018: Wouter
- Scrub NS records from NXDOMAIN responses to stop fragmentation
poisoning of the cache.
19 November 2018: Wouter
- Support SO_REUSEPORT_LB in FreeBSD 12 with the so-reuseport: yes
option in unbound.conf.

10
iterator/iter_scrub.c
View File

@ -497,6 +497,16 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
"RRset:", pkt, msg, prev, &rrset);
continue;
}
/* we don't want NS sets for NXDOMAIN answers,
* because they could contain poisonous contents,
* from. eg. fragmentation attacks, inserted after
* long RRSIGs in the packet get to the packet
* border and such */
if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NXDOMAIN) {
remove_rrset("normalize: removing irrelevant "
"RRset:", pkt, msg, prev, &rrset);
continue;
}
if(nsset == NULL) {
nsset = rrset;
} else {

4
testdata/iter_domain_sale.rpl vendored
View File

@ -241,9 +241,9 @@ SECTION ANSWER
SECTION AUTHORITY
; at TTL 5 because TTL is capped at min-ttl of 5 in rdata of SOA
example.com. 5 IN SOA a. b. 1 2 3 4 5
example.com. 1800 IN NS ns.example.com.
;example.com. 1800 IN NS ns.example.com.
SECTION ADDITIONAL
ns.example.com. 1800 IN A 1.2.3.4
;ns.example.com. 1800 IN A 1.2.3.4
ENTRY_END
; after another 1900 seconds the domain must have timed out.

8
testdata/iter_domain_sale_nschange.rpl vendored
View File

@ -288,9 +288,9 @@ SECTION ANSWER
SECTION AUTHORITY
; at TTL 5 because TTL capped at ttl of minttl in rdata of SOA.
example.com. 5 IN SOA a. b. 1 2 3 4 5
example.com. 3600 IN NS nsb.example.com.
;example.com. 3600 IN NS nsb.example.com.
SECTION ADDITIONAL
nsb.example.com. 3600 IN A 1.2.3.4
;nsb.example.com. 3600 IN A 1.2.3.4
ENTRY_END
STEP 62 QUERY
@ -310,9 +310,9 @@ SECTION ANSWER
SECTION AUTHORITY
; at TTL 5 because TTL capped at ttl of minttl in rdata of SOA.
example.com. 5 IN SOA a. b. 1 2 3 4 5
example.com. 1800 IN NS nsb.example.com.
;example.com. 1800 IN NS nsb.example.com.
SECTION ADDITIONAL
nsb.example.com. 3600 IN A 1.2.3.4
;nsb.example.com. 3600 IN A 1.2.3.4
ENTRY_END
; after another 1900 seconds the domain must have timed out.