mirror of
https://github.com/isc-projects/bind9.git
synced 2026-07-15 00:10:51 -04:00
Unvalidated opt-out NSEC3 could be accepted in insecurity proof
Ignore NSEC3 records that failed in the sub-validator when determining
whether an insecure delegation is legitimate.
Fixes: isc-projects/bind9#5970
(cherry picked from commit 1bd458d3ba)
This commit is contained in:
parent
3e6cef2ac6
commit
c79ae4e8ca
1 changed files with 16 additions and 0 deletions
|
|
@ -306,6 +306,12 @@ is_insecure_referral(dns_validator_t *val, dns_name_t *name,
|
|||
if (result != ISC_R_SUCCESS) {
|
||||
return false;
|
||||
}
|
||||
if (set.trust < dns_trust_secure) {
|
||||
if (dns_rdataset_isassociated(&set)) {
|
||||
dns_rdataset_disassociate(&set);
|
||||
}
|
||||
goto trynsec3;
|
||||
}
|
||||
}
|
||||
|
||||
INSIST(set.type == dns_rdatatype_nsec);
|
||||
|
|
@ -337,6 +343,12 @@ trynsec3:
|
|||
dns_rdataset_disassociate(&set);
|
||||
continue;
|
||||
}
|
||||
if (set.trust < dns_trust_secure) {
|
||||
if (dns_rdataset_isassociated(&set)) {
|
||||
dns_rdataset_disassociate(&set);
|
||||
}
|
||||
continue;
|
||||
}
|
||||
dns_name_getlabel(&nsec3name, 0, &hashlabel);
|
||||
isc_region_consume(&hashlabel, 1);
|
||||
isc_buffer_init(&buffer, owner, sizeof(owner));
|
||||
|
|
@ -905,6 +917,10 @@ validator_callback_nsec(void *arg) {
|
|||
val->authfail++;
|
||||
FALLTHROUGH;
|
||||
default:
|
||||
if (val->nxset != NULL) {
|
||||
val->nxset->attributes &=
|
||||
~DNS_RDATASETATTR_NCACHE;
|
||||
}
|
||||
result = validate_nx(val, true);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue