mirror of https://github.com/getdnsapi/getdns.git
Issue #423: Fix insecure delegation detection while scheduling
This commit is contained in:
parent
0abd2345de
commit
99d15b999c
|
@ -1,4 +1,5 @@
|
||||||
* 2019-??-??: Version 1.?.?
|
* 2019-??-??: Version 1.?.?
|
||||||
|
* Issue #423: Fix insecure delegation detection while scheduling.
|
||||||
* Issue #419: Escape backslashed when printing in JSON format.
|
* Issue #419: Escape backslashed when printing in JSON format.
|
||||||
Thanks boB Rudis
|
Thanks boB Rudis
|
||||||
* DOA rr-type
|
* DOA rr-type
|
||||||
|
|
73
src/dnssec.c
73
src/dnssec.c
|
@ -1110,6 +1110,65 @@ static void cancel_requests_for_subdomains_of(
|
||||||
}
|
}
|
||||||
head = next;
|
head = next;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
static int nsec3_matches_name(_getdns_rrset *nsec3, const uint8_t *name);
|
||||||
|
static int nsec3_covers_name(
|
||||||
|
_getdns_rrset *nsec3, const uint8_t *name, int *opt_out);
|
||||||
|
|
||||||
|
static int insecure_delegation(_getdns_rrset *ds_rrset)
|
||||||
|
{
|
||||||
|
_getdns_rrset nsec_rrset;
|
||||||
|
_getdns_rrtype_iter *rr, rr_spc;
|
||||||
|
_getdns_rrsig_iter rrsig_spc;
|
||||||
|
_getdns_rdf_iter bitmap_spc, *bitmap;
|
||||||
|
_getdns_rrset_iter *i, i_spc;
|
||||||
|
|
||||||
|
/* For NSEC, an insecure delegation is a NODATA proof for DS */
|
||||||
|
nsec_rrset = *ds_rrset;
|
||||||
|
nsec_rrset.rr_type = GETDNS_RRTYPE_NSEC;
|
||||||
|
if (!_getdns_rrsig_iter_init(&rrsig_spc, &nsec_rrset))
|
||||||
|
; /* pass */
|
||||||
|
else for ( rr = _getdns_rrtype_iter_init(&rr_spc, &nsec_rrset)
|
||||||
|
; rr ; rr = _getdns_rrtype_iter_next(rr)) {
|
||||||
|
|
||||||
|
if ((bitmap = _getdns_rdf_iter_init_at( &bitmap_spc
|
||||||
|
, &rr->rr_i, 1))
|
||||||
|
&& bitmap_has_type(bitmap, GETDNS_RRTYPE_NS)
|
||||||
|
&& !bitmap_has_type(bitmap, GETDNS_RRTYPE_DS)
|
||||||
|
&& _getdns_rrsig_iter_init(&rrsig_spc, &nsec_rrset))
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* For NSEC3 it is either a NODATA proof with a delegation,
|
||||||
|
or a NSEC3 opt-out coverage */
|
||||||
|
for ( i = _getdns_rrset_iter_init(&i_spc, ds_rrset->pkt
|
||||||
|
, ds_rrset->pkt_len
|
||||||
|
, SECTION_NO_ADDITIONAL)
|
||||||
|
; i ; i = _getdns_rrset_iter_next(i)) {
|
||||||
|
_getdns_rrset *nsec3_rrset = _getdns_rrset_iter_value(i);
|
||||||
|
int opt_out;
|
||||||
|
|
||||||
|
if ( !nsec3_rrset
|
||||||
|
|| nsec3_rrset->rr_type != GETDNS_RRTYPE_NSEC3
|
||||||
|
||!(rr = _getdns_rrtype_iter_init(&rr_spc, nsec3_rrset)))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
if (!nsec3_covers_name(nsec3_rrset, ds_rrset->name, &opt_out))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
if (nsec3_matches_name(nsec3_rrset, ds_rrset->name)) {
|
||||||
|
bitmap = _getdns_rdf_iter_init_at( &bitmap_spc
|
||||||
|
, &rr->rr_i, 5);
|
||||||
|
return bitmap
|
||||||
|
&& bitmap_has_type(bitmap, GETDNS_RRTYPE_NS)
|
||||||
|
&& !bitmap_has_type(bitmap, GETDNS_RRTYPE_DS);
|
||||||
|
}
|
||||||
|
else if (opt_out)
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static void val_chain_node_cb(getdns_dns_req *dnsreq)
|
static void val_chain_node_cb(getdns_dns_req *dnsreq)
|
||||||
|
@ -1158,10 +1217,16 @@ static void val_chain_node_cb(getdns_dns_req *dnsreq)
|
||||||
else if (n_signers) {
|
else if (n_signers) {
|
||||||
_getdns_rrtype_iter ds_spc;
|
_getdns_rrtype_iter ds_spc;
|
||||||
|
|
||||||
if (!_getdns_rrtype_iter_init(&ds_spc, &node->ds)) {
|
if (_getdns_rrtype_iter_init(&ds_spc, &node->ds))
|
||||||
debug_sec_print_rrset("A DS NX proof for ", &node->ds);
|
; /* pass */
|
||||||
DEBUG_SEC("Cancel all more specific requests\n");
|
|
||||||
cancel_requests_for_subdomains_of(node->chains, node->ds.name);
|
else if (insecure_delegation(&node->ds)) {
|
||||||
|
debug_sec_print_rrset("Insecure delegation. "
|
||||||
|
"Canceling requests below ", &node->ds);
|
||||||
|
cancel_requests_for_subdomains_of(
|
||||||
|
node->chains, node->ds.name);
|
||||||
|
} else {
|
||||||
|
debug_sec_print_rrset("No DS at ", &node->ds);
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
/* No signed DS and no signed proof of non-existance.
|
/* No signed DS and no signed proof of non-existance.
|
||||||
|
|
Loading…
Reference in New Issue