From 53eab060837ddf792a0da5d8424fe955c190d375 Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Wed, 12 Oct 2022 16:24:13 +0200
Subject: [PATCH] Change default TTL of NSEC3PARAM to SOA MINIMUM

Despite the RFC says that the NSEC3PARAM is not something that is
intended for the resolver to be cached, and thus the TTL of 0 is most
logical, a zero TTL RRset can be abused by bad actors.

Change the default to SOA MINIMUM.
---
 lib/dns/zone.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index fe7cb5bed3..f8a7ab4633 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -8120,6 +8120,7 @@ fixup_nsec3param(dns_db_t *db, dns_dbversion_t *ver, dns_nsec3chain_t *chain,
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	dns_rdataset_t rdataset;
 	dns_rdata_nsec3param_t nsec3param;
+	dns_rdata_soa_t soa;
 	isc_result_t result;
 	isc_buffer_t buffer;
 	unsigned char parambuf[DNS_NSEC3PARAM_BUFFERSIZE];
@@ -8130,6 +8131,21 @@ fixup_nsec3param(dns_db_t *db, dns_dbversion_t *ver, dns_nsec3chain_t *chain,
 
 	result = dns_db_getoriginnode(db, &node);
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	/* Default TTL is SOA MINIMUM */
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_soa, 0, 0,
+				     &rdataset, NULL);
+	if (result == ISC_R_SUCCESS) {
+		CHECK(dns_rdataset_first(&rdataset));
+		dns_rdataset_current(&rdataset, &rdata);
+		CHECK(dns_rdata_tostruct(&rdata, &soa, NULL));
+		ttl = soa.minimum;
+		dns_rdata_reset(&rdata);
+	}
+	if (dns_rdataset_isassociated(&rdataset)) {
+		dns_rdataset_disassociate(&rdataset);
+	}
+
 	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param, 0,
 				     0, &rdataset, NULL);
 	if (result == ISC_R_NOTFOUND) {