mirror of
https://github.com/isc-projects/bind9.git
synced 2026-07-15 00:40:49 -04:00
Require secure trust for covering NSEC in the RBT cache
The guard against synthesizing negative answers from a pending NSEC (#5977) was only added to the QP cache's find_coveringnsec(); the RBT cache database kept binding any covering NSEC regardless of trust. On builds configured with --with-cachedb=rbt this lets a piggy-backed, unvalidated NSEC drive a synthesized NXDOMAIN, reviving the cache poisoning that was fixed for the default cache. query_coveringnsec() only verifies the covering NSEC's trust on its NODATA path; the NXDOMAIN path relies on the database returning a secure record. Require the NSEC and its RRSIG to be dns_trust_secure in find_coveringnsec(), matching the QP cache. Assisted-by: Claude:claude-opus-4-8
This commit is contained in:
parent
86b87dfd29
commit
e675db2e49
1 changed files with 3 additions and 1 deletions
|
|
@ -728,7 +728,9 @@ find_coveringnsec(rbtdb_search_t *search, const dns_name_t *name,
|
|||
}
|
||||
header_prev = header;
|
||||
}
|
||||
if (found != NULL) {
|
||||
if (found != NULL && found->trust == dns_trust_secure &&
|
||||
(foundsig == NULL || foundsig->trust == dns_trust_secure))
|
||||
{
|
||||
dns__rbtdb_bindrdataset(search->rbtdb, node, found, now,
|
||||
nlocktype, rdataset DNS__DB_FLARG_PASS);
|
||||
if (foundsig != NULL) {
|
||||
|
|
|
|||
Loading…
Reference in a new issue