3348. [security] prevent RRSIG data from being cached if a negative

record matching the covering type exists at a higher
			trust level. Such data already can't be retrieved from
			the cache since change 3218 -- this prevents it
			being inserted into the cache as well. [RT #26809]
This commit is contained in:
ckb 2012-07-09 13:23:35 -05:00
parent c900f2ab7d
commit 6235fc5a0e
2 changed files with 19 additions and 8 deletions

View file

@ -1,3 +1,9 @@
3348. [security] prevent RRSIG data from being cached if a negative
record matching the covering type exists at a higher
trust level. Such data already can't be retrieved from
the cache since change 3218 -- this prevents it
being inserted into the cache as well. [RT #26809]
3347. [bug] dnssec-settime: Issue a warning when writing a new
private key file would cause a change in the
permissions of the existing file. [RT #27724]

View file

@ -5916,13 +5916,12 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
negtype = 0;
if (rbtversion == NULL && !newheader_nx) {
rdtype = RBTDB_RDATATYPE_BASE(newheader->type);
covers = RBTDB_RDATATYPE_EXT(newheader->type);
sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, covers);
if (NEGATIVE(newheader)) {
/*
* We're adding a negative cache entry.
*/
covers = RBTDB_RDATATYPE_EXT(newheader->type);
sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig,
covers);
for (topheader = rbtnode->data;
topheader != NULL;
topheader = topheader->next) {
@ -5955,14 +5954,20 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
* We're adding something that isn't a
* negative cache entry. Look for an extant
* non-stale NXDOMAIN/NODATA(QTYPE=ANY) negative
* cache entry.
* cache entry. If we're adding an RRSIG, also
* check for an extant non-stale NODATA ncache
* entry which covers the same type as the RRSIG.
*/
for (topheader = rbtnode->data;
topheader != NULL;
topheader = topheader->next) {
if (topheader->type ==
RBTDB_RDATATYPE_NCACHEANY)
break;
if ((topheader->type ==
RBTDB_RDATATYPE_NCACHEANY) ||
(newheader->type == sigtype &&
topheader->type ==
RBTDB_RDATATYPE_VALUE(0, covers))) {
break;
}
}
if (topheader != NULL && EXISTS(topheader) &&
topheader->rdh_ttl > now) {
@ -5985,7 +5990,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
}
/*
* The new rdataset is better. Expire the
* NXDOMAIN/NODATA(QTYPE=ANY).
* ncache entry.
*/
set_ttl(rbtdb, topheader, 0);
topheader->attributes |= RDATASET_ATTR_STALE;