upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-20 23:00:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

- Fix for zonemd, that nxdomain for the chain of trust is allowed

Browse source 
for island zones, it is treates as an insecure zone for verification.
This commit is contained in:
W.C.A. Wijngaards 2021-02-22 17:32:40 +01:00
parent 40fbc3fa8a
commit 131d38f8f2
2 changed files with 28 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
doc/Changelog
View file

@ -1,6 +1,8 @@
22 February 2021: Wouter 22 February 2021: Wouter
- Fix #431: Squelch permission denied errors for tcp connect - Fix #431: Squelch permission denied errors for tcp connect
and udp connect from the logs, unless at high verbosity. and udp connect from the logs, unless at high verbosity.
- Fix for zonemd, that nxdomain for the chain of trust is allowed
for island zones, it is treates as an insecure zone for verification.
18 February 2021: Wouter 18 February 2021: Wouter
- Merge PR #317: ZONEMD Zone Verification, with RFC 8976 support. - Merge PR #317: ZONEMD Zone Verification, with RFC 8976 support.

26
services/authzone.c
View file

@ -8117,6 +8117,32 @@ void auth_zonemd_dnskey_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
"zonemd lookup of DNSKEY has nodata"); "zonemd lookup of DNSKEY has nodata");
reason = "lookup of DNSKEY has nodata"; reason = "lookup of DNSKEY has nodata";
} }
} else if(rep && rq.qtype == wanted_qtype &&
query_dname_compare(z->name, rq.qname) == 0 &&
FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN &&
sec == sec_status_secure) {
/* secure nxdomain, so the zone is like some RPZ zone
* that does not exist in the wider internet, with
* a secure nxdomain answer outside of it. So we
* treat the zonemd zone without a dnssec chain of
* trust, as insecure. */
is_insecure = 1;
auth_zone_log(z->name, VERB_ALGO,
"zonemd lookup of DNSKEY was secure NXDOMAIN, treat as insecure");
} else if(rep && rq.qtype == wanted_qtype &&
query_dname_compare(z->name, rq.qname) == 0 &&
FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN &&
sec == sec_status_insecure) {
is_insecure = 1;
auth_zone_log(z->name, VERB_ALGO,
"zonemd lookup of DNSKEY was insecure NXDOMAIN, treat as insecure");
} else if(rep && rq.qtype == wanted_qtype &&
query_dname_compare(z->name, rq.qname) == 0 &&
FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN &&
sec == sec_status_indeterminate) {
is_insecure = 1;
auth_zone_log(z->name, VERB_ALGO,
"zonemd lookup of DNSKEY was indeterminate NXDOMAIN, treat as insecure");
} else { } else {
auth_zone_log(z->name, VERB_ALGO, auth_zone_log(z->name, VERB_ALGO,
"zonemd lookup of DNSKEY has no answer"); "zonemd lookup of DNSKEY has no answer");