picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

resolved: do not use NSEC RRs from the wrong zone for proofs 

When proving NODATA DS lookups we need to insist on looking at the parent zone's NSEC RR, not the child zone's.

When proving any other NODATA lookups we need to insist on looking at the child zone's NSEC RR, not the parent's.
This commit is contained in:
Lennart Poettering 2016-01-14 17:28:58 +01:00
parent 54b778e7d6
commit 1827a1582c
1 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/resolve/resolved-dns-dnssec.c
View File

@ -1583,6 +1583,19 @@ int dnssec_nsec_test(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *r
if (r < 0)
return r;
if (r > 0) {
if (key->type == DNS_TYPE_DS) {
/* If we look for a DS RR and the server sent us the NSEC RR of the child zone
* we have a problem. For DS RRs we want the NSEC RR from the parent */
if (bitmap_isset(rr->nsec.types, DNS_TYPE_SOA))
continue;
} else {
/* For all RR types, ensure that if NS is set SOA is set too, so that we know
* we got the child's NSEC. */
if (bitmap_isset(rr->nsec.types, DNS_TYPE_NS) &&
!bitmap_isset(rr->nsec.types, DNS_TYPE_SOA))
continue;
}
if (bitmap_isset(rr->nsec.types, key->type))
*result = DNSSEC_NSEC_FOUND;
else if (bitmap_isset(rr->nsec.types, DNS_TYPE_CNAME))