From 86f6b92e35c7bdb5fc1fd1021af75b981863313e Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 15 Jul 2002 03:25:28 +0000 Subject: [PATCH] 1248. [bug] The validator could incorrectly verify an invalid negative proof. When checking the range of the nxt record, the code needs to handle the case where the 'next name' field points to the origin. The way that the origin was determined was looking at the 'signer' field of the first SIG NXT, since NXTs are signed by the zone key. This doesn't work, because the first SIG could have been spoofed. It now defers checking the nxt range until both the SOA and NXT have been verified, and uses the owner of the SOA name as the origin. bwelling --- CHANGES | 3 +++ lib/dns/validator.c | 35 ++++++++++++----------------------- 2 files changed, 15 insertions(+), 23 deletions(-) diff --git a/CHANGES b/CHANGES index 661afcbd41..f4fa76b3f4 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +1248. [bug] The validator could incorrectly verify an invalid + negative proof. + 1247. [bug] The validator would incorrectly mark data as insecure when seeing a bogus signature before a correct signature. diff --git a/lib/dns/validator.c b/lib/dns/validator.c index e1b261a824..e25ab8877b 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: validator.c,v 1.107 2002/07/15 02:57:14 marka Exp $ */ +/* $Id: validator.c,v 1.108 2002/07/15 03:25:28 marka Exp $ */ #include @@ -392,7 +392,7 @@ dsvalidated(isc_task_t *task, isc_event_t *event) { static isc_boolean_t nxtprovesnonexistence(dns_validator_t *val, dns_name_t *nxtname, - dns_rdataset_t *nxtset, dns_rdataset_t *signxtset) + dns_rdataset_t *nxtset) { int order; dns_rdata_t rdata = DNS_RDATA_INIT; @@ -459,23 +459,7 @@ nxtprovesnonexistence(dns_validator_t *val, dns_name_t *nxtname, * name. This is only ok if the next name is the zone * name. */ - dns_rdata_sig_t siginfo; - result = dns_rdataset_first(signxtset); - if (result != ISC_R_SUCCESS) { - validator_log(val, ISC_LOG_DEBUG(3), - "failure processing SIG NXT set"); - dns_rdata_freestruct(&nxt); - return (ISC_FALSE); - } - dns_rdataset_current(signxtset, &rdata); - result = dns_rdata_tostruct(&rdata, &siginfo, NULL); - if (result != ISC_R_SUCCESS) { - validator_log(val, ISC_LOG_DEBUG(3), - "failure processing SIG NXT set"); - dns_rdata_freestruct(&nxt); - return (ISC_FALSE); - } - if (!dns_name_equal(&siginfo.signer, &nxt.next)) { + if (!dns_name_equal(val->soaname, &nxt.next)) { validator_log(val, ISC_LOG_DEBUG(3), "next name is not greater"); dns_rdata_freestruct(&nxt); @@ -532,9 +516,9 @@ authvalidated(isc_task_t *task, isc_event_t *event) { validator_done(val, result); } } else { - if (rdataset->type == dns_rdatatype_nxt && - nxtprovesnonexistence(val, devent->name, rdataset, - sigrdataset)) + if (val->soaname != NULL && val->nxtset != NULL && + (val->attributes & VALATTR_FOUNDNONEXISTENCE) == 0 && + nxtprovesnonexistence(val, devent->name, rdataset)) val->attributes |= VALATTR_FOUNDNONEXISTENCE; result = nxtvalidate(val, ISC_TRUE); @@ -1364,8 +1348,11 @@ nxtvalidate(dns_validator_t *val, isc_boolean_t resume) { if (rdataset->type == dns_rdatatype_sig) continue; - if (rdataset->type == dns_rdatatype_soa) + if (rdataset->type == dns_rdatatype_soa) { val->soaset = rdataset; + val->soaname = name; + } else if (rdataset->type == dns_rdatatype_nxt) + val->nxtset = rdataset; for (sigrdataset = ISC_LIST_HEAD(name->list); sigrdataset != NULL; @@ -1723,6 +1710,8 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type, val->keyset = NULL; val->dsset = NULL; val->soaset = NULL; + val->nxtset = NULL; + val->soaname = NULL; val->seensig = ISC_FALSE; dns_rdataset_init(&val->frdataset); dns_rdataset_init(&val->fsigrdataset);