From fe18bbcb1f7903f72a6676132f2e5e3fa6556efd Mon Sep 17 00:00:00 2001 From: Wouter Wijngaards Date: Wed, 30 Aug 2017 13:13:43 +0000 Subject: [PATCH] - Fix 1416: qname-minimisation breaks TLSA lookups with CNAMEs. git-svn-id: file:///svn/unbound/trunk@4322 be551aaa-1e26-0410-a405-d3ace91eadb9 --- doc/Changelog | 1 + validator/val_utils.c | 15 +++++++++++---- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/doc/Changelog b/doc/Changelog index bdd70102a..e4c323679 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,5 +1,6 @@ 30 August 2017: Wouter - updated contrib/fastrpz.patch to apply with configparser changes. + - Fix 1416: qname-minimisation breaks TLSA lookups with CNAMEs. 29 August 2017: Wouter - Fix #1414: fix segfault on parse failure and log_replies. diff --git a/validator/val_utils.c b/validator/val_utils.c index e4eff1b25..973473f9d 100644 --- a/validator/val_utils.c +++ b/validator/val_utils.c @@ -932,17 +932,24 @@ val_check_nonsecure(struct module_env* env, struct reply_info* rep) * Therefore the message is bogus. */ - /* check if authority consists of only an NS record + /* check if authority has an NS record * which is bad, and there is an answer section with * data. In that case, delete NS and additional to * be lenient and make a minimal response */ - if(rep->an_numrrsets != 0 && rep->ns_numrrsets == 1 && + if(rep->an_numrrsets != 0 && ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_NS) { verbose(VERB_ALGO, "truncate to minimal"); - rep->ns_numrrsets = 0; rep->ar_numrrsets = 0; - rep->rrset_count = rep->an_numrrsets; + rep->rrset_count = rep->an_numrrsets + + rep->ns_numrrsets; + /* remove this unneeded authority rrset */ + memmove(rep->rrsets+i, rep->rrsets+i+1, + sizeof(struct ub_packed_rrset_key*)* + (rep->rrset_count - i - 1)); + rep->ns_numrrsets--; + rep->rrset_count--; + i--; return; }