mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-27 19:23:24 +02:00
697b4f04bf
These fix minor bugs and contain smaller improvements. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
38 lines
1.6 KiB
Diff
38 lines
1.6 KiB
Diff
From 0b8a5a30a77331974ba24a04e43e720585dfbc61 Mon Sep 17 00:00:00 2001
|
|
From: Simon Kelley <simon@thekelleys.org.uk>
|
|
Date: Fri, 27 Mar 2015 11:44:55 +0000
|
|
Subject: [PATCH 063/113] Protect against broken DNSSEC upstreams.
|
|
|
|
---
|
|
src/dnssec.c | 7 +++++--
|
|
1 file changed, 5 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/src/dnssec.c b/src/dnssec.c
|
|
index db5c768bd751..14bae7e9bf75 100644
|
|
--- a/src/dnssec.c
|
|
+++ b/src/dnssec.c
|
|
@@ -1177,7 +1177,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
|
|
STAT_NO_DS It's proved there's no DS here.
|
|
STAT_NO_NS It's proved there's no DS _or_ NS here.
|
|
STAT_BOGUS no DS in reply or not signed, fails validation, bad packet.
|
|
- STAT_NEED_DNSKEY DNSKEY records to validate a DS not found, name in keyname
|
|
+ STAT_NEED_KEY DNSKEY records to validate a DS not found, name in keyname
|
|
*/
|
|
|
|
int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class)
|
|
@@ -1208,7 +1208,10 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
|
|
if (!(p = skip_section(p, ntohs(header->ancount), header, plen)))
|
|
val = STAT_BOGUS;
|
|
|
|
- if (val == STAT_BOGUS)
|
|
+ /* If the key needed to validate the DS is on the same domain as the DS, we'll
|
|
+ loop getting nowhere. Stop that now. This can happen of the DS answer comes
|
|
+ from the DS's zone, and not the parent zone. */
|
|
+ if (val == STAT_BOGUS || (val == STAT_NEED_KEY && hostname_isequal(name, keyname)))
|
|
{
|
|
log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "BOGUS DS");
|
|
return STAT_BOGUS;
|
|
--
|
|
2.1.0
|
|
|