mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-28 11:43:25 +02:00
46 lines
1.8 KiB
Diff
46 lines
1.8 KiB
Diff
From 5e321739db381a1d7b5964d76e9c81471d2564c9 Mon Sep 17 00:00:00 2001
|
|
From: Simon Kelley <simon@thekelleys.org.uk>
|
|
Date: Mon, 12 Jan 2015 23:16:56 +0000
|
|
Subject: [PATCH 30/78] Don't answer from cache RRsets from wildcards, as we
|
|
don't have NSECs.
|
|
|
|
---
|
|
src/dnssec.c | 9 ++++++++-
|
|
1 file changed, 8 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/dnssec.c b/src/dnssec.c
|
|
index afb3dca38cb1..d39ab85ed966 100644
|
|
--- a/src/dnssec.c
|
|
+++ b/src/dnssec.c
|
|
@@ -1818,11 +1818,14 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
|
|
struct blockdata *key;
|
|
struct crec *crecp;
|
|
char *wildname;
|
|
+ int have_wildcard = 0;
|
|
|
|
rc = validate_rrset(now, header, plen, class1, type1, name, keyname, &wildname, NULL, 0, 0, 0);
|
|
|
|
if (rc == STAT_SECURE_WILDCARD)
|
|
{
|
|
+ have_wildcard = 1;
|
|
+
|
|
/* An attacker replay a wildcard answer with a different
|
|
answer and overlay a genuine RR. To prove this
|
|
hasn't happened, the answer must prove that
|
|
@@ -1913,7 +1916,11 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
|
|
p2 += 13; /* labels, orig_ttl, expiration, inception */
|
|
GETSHORT(keytag, p2);
|
|
|
|
- if ((key = blockdata_alloc((char*)psave, rdlen2)))
|
|
+ /* We don't cache sigs for wildcard answers, because to reproduce the
|
|
+ answer from the cache will require one or more NSEC/NSEC3 records
|
|
+ which we don't cache. The lack of the RRSIG ensures that a query for
|
|
+ this RRset asking for a secure answer will always be forwarded. */
|
|
+ if (!have_wildcard && (key = blockdata_alloc((char*)psave, rdlen2)))
|
|
{
|
|
if (!(crecp = cache_insert(name, &a, now, ttl, F_FORWARD | F_DNSKEY | F_DS)))
|
|
blockdata_free(key);
|
|
--
|
|
2.1.0
|
|
|