upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-28 04:34:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Tighten restrictions on caching NS RRsets in authority section

Browse source 
To prevent certain spoofing attacks, a new check has been added
to the existing rules for whether NS data can be cached: the owner
name of the NS RRset must be an ancestor of the name being queried.
This commit is contained in:
Mark Andrews 2025-07-10 09:37:36 +10:00 committed by Michał Kępień
parent 1d851c2352
commit fa153f791f
No known key found for this signature in database
1 changed files with 5 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
lib/dns/resolver.c
View file

@ -8435,8 +8435,8 @@ rctx_answer_dname(respctx_t *rctx) {
* section to be subdomains of the domain being queried; any that are
* not are skipped. We expect to find only *one* owner name; any names
* after the first one processed are ignored. We expect to find only
* rdatasets of type NS, RRSIG, or SIG; all others are ignored. Whatever
* remains can be cached at trust level authauthority or additional
* rdatasets of type NS; all others are ignored. Whatever remains can
* be cached at trust level authauthority or additional
* (depending on whether the AA bit was set on the answer).
*/
static void
@ -8445,7 +8445,9 @@ rctx_authority_positive(respctx_t *rctx) {
dns_message_t *msg = rctx->query->rmessage;
MSG_SECTION_FOREACH(msg, DNS_SECTION_AUTHORITY, name) {
if (!name_external(name, dns_rdatatype_ns, fctx)) {
if (!name_external(name, dns_rdatatype_ns, fctx) &&
dns_name_issubdomain(fctx->name, name))
{
/*
* We expect to find NS or SIG NS rdatasets, and
* nothing else.