picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

resolved: be stricter when using NSEC3 

We can user signer and synthesizing source information to check that the NSEC3 RRs we want to use are
actually reasonable and properly signed.
This commit is contained in:
Lennart Poettering 2016-01-14 18:14:43 +01:00
parent 97c67192ea
commit 93a3b9294f
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/resolve/resolved-dns-dnssec.c
View File

@ -1157,7 +1157,6 @@ int dnssec_verify_dnskey_search(DnsResourceRecord *dnskey, DnsAnswer *validated_
if (ds->key->type != DNS_TYPE_DS)
continue;
if (ds->key->class != dnskey->key->class)
continue;
@ -1286,6 +1285,13 @@ static int nsec3_is_good(DnsResourceRecord *rr, DnsResourceRecord *nsec3) {
if (rr->nsec3.iterations > NSEC3_ITERATIONS_MAX)
return 0;
/* Ignore NSEC3 RRs generated from wildcards */
if (rr->n_skip_labels_source != 0)
return 0;
/* Ignore NSEC3 RRs that are located anywhere else than one label below the zone */
if (rr->n_skip_labels_signer != 1)
return 0;
if (!nsec3)
return 1;
@ -1319,6 +1325,7 @@ static int nsec3_is_good(DnsResourceRecord *rr, DnsResourceRecord *nsec3) {
if (r == 0)
return 0;
/* Make sure both have the same parent */
return dns_name_equal(a, b);
}