diff --git a/doc/Changelog b/doc/Changelog index 61645438f..3b6690ef7 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,6 +1,8 @@ 2 September 2008: Wouter - DoS protection features. Queries are jostled out to make room. - testbound can pass time, increasing the internal timer. + - do not mark unsigned additionals bogus, leave unchecked, which + is removed too. 1 September 2008: Wouter - disallow nonrecursive queries for cache snooping by default. diff --git a/doc/plan b/doc/plan index f7aae9057..ef105118f 100644 --- a/doc/plan +++ b/doc/plan @@ -34,9 +34,9 @@ total 6 of 8 weeks; 2 weeks for maintenance activities. + DoS vector, flush more. 50% of max is for run-to-completion 50% rest is for lifo queue with 100-200 msec timeout. -* records in the additional section should not be marked bogus -if they have no signer or a different signed. Validate if you can, -otherwise leave unchecked. ++ records in the additional section should not be marked bogus + if they have no signer or a different signed. Validate if you can, + otherwise leave unchecked. * block DNS rebinding attacks, block all A records from 1918 IP blocks, like dnswall does. Allow certain subdomains to do it, config options. one option that controls on/off of all private space. diff --git a/validator/val_utils.c b/validator/val_utils.c index 1432a715c..f982034f2 100644 --- a/validator/val_utils.c +++ b/validator/val_utils.c @@ -150,13 +150,7 @@ rrsig_get_signer(uint8_t* data, size_t len, uint8_t** sname, size_t* slen) *sname = data; } -/** - * Find the signer name for an RRset. - * @param rrset: the rrset. - * @param sname: signer name is returned or NULL if not signed. - * @param slen: length of sname (or 0). - */ -static void +void val_find_rrset_signer(struct ub_packed_rrset_key* rrset, uint8_t** sname, size_t* slen) { diff --git a/validator/val_utils.h b/validator/val_utils.h index e56ecb9c2..c85f50392 100644 --- a/validator/val_utils.h +++ b/validator/val_utils.h @@ -257,6 +257,15 @@ void val_mark_insecure(struct reply_info* rep, struct key_entry_key* kkey, */ size_t val_next_unchecked(struct reply_info* rep, size_t skip); +/** + * Find the signer name for an RRset. + * @param rrset: the rrset. + * @param sname: signer name is returned or NULL if not signed. + * @param slen: length of sname (or 0). + */ +void val_find_rrset_signer(struct ub_packed_rrset_key* rrset, uint8_t** sname, + size_t* slen); + /** * Get string to denote the classification result. * @param subtype: from classification function. diff --git a/validator/validator.c b/validator/validator.c index 90770312b..ec7f1241a 100644 --- a/validator/validator.c +++ b/validator/validator.c @@ -373,7 +373,8 @@ validate_msg_signatures(struct module_env* env, struct val_env* ve, struct query_info* qchase, struct reply_info* chase_reply, struct key_entry_key* key_entry) { - size_t i; + uint8_t* sname; + size_t i, slen; struct ub_packed_rrset_key* s; enum sec_status sec; int dname_seen = 0; @@ -438,7 +439,11 @@ validate_msg_signatures(struct module_env* env, struct val_env* ve, for(i=chase_reply->an_numrrsets+chase_reply->ns_numrrsets; irrset_count; i++) { s = chase_reply->rrsets[i]; - (void)val_verify_rrset_entry(env, ve, s, key_entry); + /* only validate rrs that have signatures with the key */ + /* leave others unchecked, those get removed later on too */ + val_find_rrset_signer(s, &sname, &slen); + if(sname && query_dname_compare(sname, key_entry->name)==0) + (void)val_verify_rrset_entry(env, ve, s, key_entry); /* the additional section can fail to be secure, * it is optional, check signature in case we need * to clean the additional section later. */