new NS queries is not an option (off by default).

git-svn-id: file:///svn/unbound/trunk@1219 be551aaa-1e26-0410-a405-d3ace91eadb9
2025-12-20 23:00:56 -05:00 · 2008-08-29 14:46:08 +00:00 · 2008-08-29 14:46:08 +00:00 · a66e16cb31
commit a66e16cb31
parent 49d295755d
17 changed files with 989 additions and 903 deletions
--- a/doc/Changelog
+++ b/doc/Changelog
@ -1,5 +1,7 @@
 29 August 2008: Wouter
 	- version 1.1 number in trunk.
+	- harden-referral-path option for query for NS records.
+	  Default turns off expensive, experimental option.

 28 August 2008: Wouter
 	- fixup logfile handling; it is created with correct permissions
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@ -227,7 +227,13 @@ server:
 	# trigger insecure mode for that zone (like without a trustanchor).
 	# Default on, which insists on dnssec data for trust-anchored zones.
 	# harden-dnssec-stripped: yes
-	
+
+        # Harden the referral path by performing additional queries for
+	# infrastructure data.  Validates the replies (if possible).
+	# Default off, because it burdens the authority servers, and it is
+	# not RFC standard, and could be slower.  Experimental option.
+	# harden-referral-path: no
+
 	# Use 0x20-encoded random bits in the query to foil spoof attempts.
 	# Disabled by default, because some caching forwarders may not
 	# support this (if you have forward-zones). Most authority servers do.
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@ -371,6 +371,16 @@ removes DNSSEC data from packets, or a zone changes from signed to
 unsigned to badly signed often. If turned off you run the risk of a 
 downgrade attack that disables security for a zone. Default is on.
 .TP
+.B harden\-referral\-path: \fI<yes or no>
+Harden the referral path by performing additional queries for
+infrastructure data.  Validates the replies if trust anchors are configured
+and the zones are signed.  This enforces DNSSEC validation on nameserver
+NS sets and the nameserver addresses that are encountered on the referral 
+path to the answer.
+Default off, because it burdens the authority servers, and it is
+not RFC standard, and could lead to performance problems because of the
+extra query load that is generated.  Experimental option.
+.TP
 .B use\-caps\-for\-id: \fI<yes or no>
 Use 0x20-encoded random bits in the query to foil spoof attempts.
 This perturbs the lowercase and uppercase of query names sent to 
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@ -58,6 +58,7 @@
 #include "util/data/dname.h"
 #include "util/data/msgencode.h"
 #include "util/fptr_wlist.h"
+#include "util/config_file.h"

 int 
 iter_init(struct module_env* env, int id)
@ -1330,7 +1331,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 		 * got in the referral. This gets authoritative answer
 		 * (answer section trust level) rrset.
 		 * right after, we detach subs, we don't want the answer */
-		generate_ns_check(qstate, iq, id, iq->qchase.qclass);
+		if(qstate->env->cfg->harden_referral_path)
+			generate_ns_check(qstate, iq, id, iq->qchase.qclass);

 		/* stop current outstanding queries. 
 		 * FIXME: should the outstanding queries be waited for and
--- a/testdata/dlv_insecure.rpl
+++ b/testdata/dlv_insecure.rpl
@ -3,6 +3,7 @@
 server:
 	dlv-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
 	val-override-date: "20070916134226"
+	harden-referral-path: yes

 stub-zone:
 	name: "."
@ -139,22 +140,23 @@ ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752
 ENTRY_END

 ; DLV query
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NXDOMAIN
-SECTION QUESTION
-example.net.example.com. IN DLV
-SECTION ANSWER
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-example.com IN NSEC zazz.example.com. SOA NS RRSIG NSEC
-example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926135752 20070829135752 2854 example.com. AAi21jQpno6gXnrPrtK0NvNgX9B8E9U5RvTd47QiCWLF7KdtKxB7Xz0= ;{id = 2854}
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
-ENTRY_END
+; picked out of the negative cache due to NS queries in between.
+; ENTRY_BEGIN
+; MATCH opcode qtype qname
+; ADJUST copy_id
+; REPLY QR NXDOMAIN
+; SECTION QUESTION
+; example.net.example.com. IN DLV
+; SECTION ANSWER
+; SECTION AUTHORITY
+; example.com.	IN NS	ns.example.com.
+; example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+; example.com IN NSEC zazz.example.com. SOA NS RRSIG NSEC
+; example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926135752 20070829135752 2854 example.com. AAi21jQpno6gXnrPrtK0NvNgX9B8E9U5RvTd47QiCWLF7KdtKxB7Xz0= ;{id = 2854}
+; SECTION ADDITIONAL
+; ns.example.com.		IN 	A	1.2.3.4
+; ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
+; ENTRY_END

 ENTRY_BEGIN
 MATCH opcode qtype qname
--- a/testdata/iter_lame_noaa.rpl
+++ b/testdata/iter_lame_noaa.rpl
@ -1,4 +1,6 @@
 ; config options
+server:
+	harden-referral-path: yes
 stub-zone:
        name: "."
 	stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.
--- a/testdata/iter_ns_spoof.rpl
+++ b/testdata/iter_ns_spoof.rpl
@ -1,4 +1,6 @@
 ; config options
+server:
+	harden-referral-path: yes
 stub-zone:
 	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
--- a/testdata/iter_scrub_cname_an.rpl
+++ b/testdata/iter_scrub_cname_an.rpl
@ -1,4 +1,6 @@
 ; config options
+server:
+	harden-referral-path: yes
 stub-zone:
        name: "."
 	stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.
--- a/testdata/iter_scrub_dname_insec.rpl
+++ b/testdata/iter_scrub_dname_insec.rpl
@ -1,4 +1,6 @@
 ; config options
+server:
+	harden-referral-path: yes
 stub-zone:
        name: "."
 	stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.
--- a/testdata/val_referd.rpl
+++ b/testdata/val_referd.rpl
@ -3,6 +3,7 @@
 server:
 	trust-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
 	val-override-date: "20070916134226"
+	harden-referral-path: yes

 stub-zone:
 	name: "."
--- a/util/config_file.c
+++ b/util/config_file.c
@ -129,6 +129,7 @@ config_create()
 	cfg->harden_large_queries = 0;
 	cfg->harden_glue = 1;
 	cfg->harden_dnssec_stripped = 1;
+	cfg->harden_referral_path = 0;
 	cfg->use_caps_bits_for_id = 0;
 	cfg->hide_identity = 0;
 	cfg->hide_version = 0;
--- a/util/config_file.h
+++ b/util/config_file.h
@ -143,6 +143,8 @@ struct config_file {
 	int harden_glue;
 	/** harden against receiving no DNSSEC data for trust anchor */
 	int harden_dnssec_stripped;
+	/** harden the referral path, query for NS,A,AAAA and validate */
+	int harden_referral_path;
 	/** use 0x20 bits in query as random ID bits */
 	int use_caps_bits_for_id;

--- a/util/configlexer.c
+++ b/util/configlexer.c
--- a/util/configlexer.lex
+++ b/util/configlexer.lex
@ -147,6 +147,7 @@ harden-short-bufsize{COLON}	{ YDOUT; return VAR_HARDEN_SHORT_BUFSIZE;}
 harden-large-queries{COLON}	{ YDOUT; return VAR_HARDEN_LARGE_QUERIES;}
 harden-glue{COLON}	{ YDOUT; return VAR_HARDEN_GLUE;}
 harden-dnssec-stripped{COLON}	{ YDOUT; return VAR_HARDEN_DNNSEC_STRIPPED;}
+harden-referral-path{COLON}	{ YDOUT; return VAR_HARDEN_REFERRAL_PATH;}
 use-caps-for-id{COLON}	{ YDOUT; return VAR_USE_CAPS_FOR_ID;}
 stub-zone{COLON}	{ YDOUT; return VAR_STUB_ZONE;}
 name{COLON}		{ YDOUT; return VAR_NAME;}
--- a/util/configparser.c
+++ b/util/configparser.c
--- a/util/configparser.h
+++ b/util/configparser.h
@ -120,7 +120,8 @@
     VAR_OUTGOING_PORT_AVOID = 336,
     VAR_DLV_ANCHOR_FILE = 337,
     VAR_DLV_ANCHOR = 338,
-     VAR_NEG_CACHE_SIZE = 339
+     VAR_NEG_CACHE_SIZE = 339,
+     VAR_HARDEN_REFERRAL_PATH = 340
   };
 #endif
 /* Tokens.  */
@ -206,6 +207,7 @@
 #define VAR_DLV_ANCHOR_FILE 337
 #define VAR_DLV_ANCHOR 338
 #define VAR_NEG_CACHE_SIZE 339
+#define VAR_HARDEN_REFERRAL_PATH 340



@ -217,7 +219,7 @@ typedef union YYSTYPE
 	char*	str;
 }
 /* Line 1489 of yacc.c.  */
-#line 221 "util/configparser.h"
+#line 223 "util/configparser.h"
 	YYSTYPE;
 # define yystype YYSTYPE /* obsolescent; will be withdrawn */
 # define YYSTYPE_IS_DECLARED 1
--- a/util/configparser.y
+++ b/util/configparser.y
@ -91,7 +91,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_STATISTICS_INTERVAL VAR_DO_DAEMONIZE VAR_USE_CAPS_FOR_ID
 %token VAR_STATISTICS_CUMULATIVE VAR_OUTGOING_PORT_PERMIT 
 %token VAR_OUTGOING_PORT_AVOID VAR_DLV_ANCHOR_FILE VAR_DLV_ANCHOR
-%token VAR_NEG_CACHE_SIZE
+%token VAR_NEG_CACHE_SIZE VAR_HARDEN_REFERRAL_PATH

 %%
 toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@ -134,7 +134,8 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_statistics_interval | server_do_daemonize | 
 	server_use_caps_for_id | server_statistics_cumulative |
 	server_outgoing_port_permit | server_outgoing_port_avoid |
-	server_dlv_anchor_file | server_dlv_anchor | server_neg_cache_size
+	server_dlv_anchor_file | server_dlv_anchor | server_neg_cache_size |
+	server_harden_referral_path
 	;
 stubstart: VAR_STUB_ZONE
 	{
@ -626,6 +627,16 @@ server_harden_dnssec_stripped: VAR_HARDEN_DNNSEC_STRIPPED STRING
 		free($2);
 	}
 	;
+server_harden_referral_path: VAR_HARDEN_REFERRAL_PATH STRING
+	{
+		OUTYY(("P(server_harden_referral_path:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->harden_referral_path = 
+			(strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
 server_use_caps_for_id: VAR_USE_CAPS_FOR_ID STRING
 	{
 		OUTYY(("P(server_use_caps_for_id:%s)\n", $2));