mirror of
https://github.com/NLnetLabs/unbound.git
synced 2024-09-21 06:37:08 +00:00
- Scrub NS records from NXDOMAIN responses to stop fragmentation
poisoning of the cache. git-svn-id: file:///svn/unbound/trunk@4961 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
parent
069b0b8c90
commit
f7e99131b9
@ -1,3 +1,7 @@
|
||||
20 November 2018: Wouter
|
||||
- Scrub NS records from NXDOMAIN responses to stop fragmentation
|
||||
poisoning of the cache.
|
||||
|
||||
19 November 2018: Wouter
|
||||
- Support SO_REUSEPORT_LB in FreeBSD 12 with the so-reuseport: yes
|
||||
option in unbound.conf.
|
||||
|
@ -497,6 +497,16 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
|
||||
"RRset:", pkt, msg, prev, &rrset);
|
||||
continue;
|
||||
}
|
||||
/* we don't want NS sets for NXDOMAIN answers,
|
||||
* because they could contain poisonous contents,
|
||||
* from. eg. fragmentation attacks, inserted after
|
||||
* long RRSIGs in the packet get to the packet
|
||||
* border and such */
|
||||
if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NXDOMAIN) {
|
||||
remove_rrset("normalize: removing irrelevant "
|
||||
"RRset:", pkt, msg, prev, &rrset);
|
||||
continue;
|
||||
}
|
||||
if(nsset == NULL) {
|
||||
nsset = rrset;
|
||||
} else {
|
||||
|
4
testdata/iter_domain_sale.rpl
vendored
4
testdata/iter_domain_sale.rpl
vendored
@ -241,9 +241,9 @@ SECTION ANSWER
|
||||
SECTION AUTHORITY
|
||||
; at TTL 5 because TTL is capped at min-ttl of 5 in rdata of SOA
|
||||
example.com. 5 IN SOA a. b. 1 2 3 4 5
|
||||
example.com. 1800 IN NS ns.example.com.
|
||||
;example.com. 1800 IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. 1800 IN A 1.2.3.4
|
||||
;ns.example.com. 1800 IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
; after another 1900 seconds the domain must have timed out.
|
||||
|
8
testdata/iter_domain_sale_nschange.rpl
vendored
8
testdata/iter_domain_sale_nschange.rpl
vendored
@ -288,9 +288,9 @@ SECTION ANSWER
|
||||
SECTION AUTHORITY
|
||||
; at TTL 5 because TTL capped at ttl of minttl in rdata of SOA.
|
||||
example.com. 5 IN SOA a. b. 1 2 3 4 5
|
||||
example.com. 3600 IN NS nsb.example.com.
|
||||
;example.com. 3600 IN NS nsb.example.com.
|
||||
SECTION ADDITIONAL
|
||||
nsb.example.com. 3600 IN A 1.2.3.4
|
||||
;nsb.example.com. 3600 IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
STEP 62 QUERY
|
||||
@ -310,9 +310,9 @@ SECTION ANSWER
|
||||
SECTION AUTHORITY
|
||||
; at TTL 5 because TTL capped at ttl of minttl in rdata of SOA.
|
||||
example.com. 5 IN SOA a. b. 1 2 3 4 5
|
||||
example.com. 1800 IN NS nsb.example.com.
|
||||
;example.com. 1800 IN NS nsb.example.com.
|
||||
SECTION ADDITIONAL
|
||||
nsb.example.com. 3600 IN A 1.2.3.4
|
||||
;nsb.example.com. 3600 IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
; after another 1900 seconds the domain must have timed out.
|
||||
|
Loading…
Reference in New Issue
Block a user