upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-11 07:00:00 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Change default TTL of NSEC3PARAM to SOA MINIMUM

Browse source 
Despite the RFC says that the NSEC3PARAM is not something that is
intended for the resolver to be cached, and thus the TTL of 0 is most
logical, a zero TTL RRset can be abused by bad actors.

Change the default to SOA MINIMUM.
This commit is contained in:
Matthijs Mekking 2022-10-12 16:24:13 +02:00
parent f51901eaca
commit 53eab06083
1 changed files with 16 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
lib/dns/zone.c
View file

@ -8120,6 +8120,7 @@ fixup_nsec3param(dns_db_t *db, dns_dbversion_t *ver, dns_nsec3chain_t *chain,
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_t rdataset;
dns_rdata_nsec3param_t nsec3param;
dns_rdata_soa_t soa;
isc_result_t result;
isc_buffer_t buffer;
unsigned char parambuf[DNS_NSEC3PARAM_BUFFERSIZE];
@ -8130,6 +8131,21 @@ fixup_nsec3param(dns_db_t *db, dns_dbversion_t *ver, dns_nsec3chain_t *chain,
result = dns_db_getoriginnode(db, &node);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
/* Default TTL is SOA MINIMUM */
result = dns_db_findrdataset(db, node, ver, dns_rdatatype_soa, 0, 0,
&rdataset, NULL);
if (result == ISC_R_SUCCESS) {
CHECK(dns_rdataset_first(&rdataset));
dns_rdataset_current(&rdataset, &rdata);
CHECK(dns_rdata_tostruct(&rdata, &soa, NULL));
ttl = soa.minimum;
dns_rdata_reset(&rdata);
}
if (dns_rdataset_isassociated(&rdataset)) {
dns_rdataset_disassociate(&rdataset);
}
result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param, 0,
0, &rdataset, NULL);
if (result == ISC_R_NOTFOUND) {