upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-20 23:00:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

- Scrub NS records from NXDOMAIN responses to stop fragmentation

Browse source 
poisoning of the cache.


git-svn-id: file:///svn/unbound/trunk@4961 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
Wouter Wijngaards 2018-11-20 09:44:40 +00:00
parent 069b0b8c90
commit f7e99131b9
4 changed files with 20 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
doc/Changelog
View file

@ -1,3 +1,7 @@
20 November 2018: Wouter
- Scrub NS records from NXDOMAIN responses to stop fragmentation
poisoning of the cache.
19 November 2018: Wouter 19 November 2018: Wouter
- Support SO_REUSEPORT_LB in FreeBSD 12 with the so-reuseport: yes - Support SO_REUSEPORT_LB in FreeBSD 12 with the so-reuseport: yes
option in unbound.conf. option in unbound.conf.

10
iterator/iter_scrub.c
View file

@ -497,6 +497,16 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
"RRset:", pkt, msg, prev, &rrset); "RRset:", pkt, msg, prev, &rrset);
continue; continue;
} }
/* we don't want NS sets for NXDOMAIN answers,
* because they could contain poisonous contents,
* from. eg. fragmentation attacks, inserted after
* long RRSIGs in the packet get to the packet
* border and such */
if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NXDOMAIN) {
remove_rrset("normalize: removing irrelevant "
"RRset:", pkt, msg, prev, &rrset);
continue;
}
if(nsset == NULL) { if(nsset == NULL) {
nsset = rrset; nsset = rrset;
} else { } else {

4
testdata/iter_domain_sale.rpl vendored
View file

@ -241,9 +241,9 @@ SECTION ANSWER
SECTION AUTHORITY SECTION AUTHORITY
; at TTL 5 because TTL is capped at min-ttl of 5 in rdata of SOA ; at TTL 5 because TTL is capped at min-ttl of 5 in rdata of SOA
example.com. 5 IN SOA a. b. 1 2 3 4 5 example.com. 5 IN SOA a. b. 1 2 3 4 5
example.com. 1800 IN NS ns.example.com. ;example.com. 1800 IN NS ns.example.com.
SECTION ADDITIONAL SECTION ADDITIONAL
ns.example.com. 1800 IN A 1.2.3.4 ;ns.example.com. 1800 IN A 1.2.3.4
ENTRY_END ENTRY_END
; after another 1900 seconds the domain must have timed out. ; after another 1900 seconds the domain must have timed out.

8
testdata/iter_domain_sale_nschange.rpl vendored
View file

@ -288,9 +288,9 @@ SECTION ANSWER
SECTION AUTHORITY SECTION AUTHORITY
; at TTL 5 because TTL capped at ttl of minttl in rdata of SOA. ; at TTL 5 because TTL capped at ttl of minttl in rdata of SOA.
example.com. 5 IN SOA a. b. 1 2 3 4 5 example.com. 5 IN SOA a. b. 1 2 3 4 5
example.com. 3600 IN NS nsb.example.com. ;example.com. 3600 IN NS nsb.example.com.
SECTION ADDITIONAL SECTION ADDITIONAL
nsb.example.com. 3600 IN A 1.2.3.4 ;nsb.example.com. 3600 IN A 1.2.3.4
ENTRY_END ENTRY_END
STEP 62 QUERY STEP 62 QUERY
@ -310,9 +310,9 @@ SECTION ANSWER
SECTION AUTHORITY SECTION AUTHORITY
; at TTL 5 because TTL capped at ttl of minttl in rdata of SOA. ; at TTL 5 because TTL capped at ttl of minttl in rdata of SOA.
example.com. 5 IN SOA a. b. 1 2 3 4 5 example.com. 5 IN SOA a. b. 1 2 3 4 5
example.com. 1800 IN NS nsb.example.com. ;example.com. 1800 IN NS nsb.example.com.
SECTION ADDITIONAL SECTION ADDITIONAL
nsb.example.com. 3600 IN A 1.2.3.4 ;nsb.example.com. 3600 IN A 1.2.3.4
ENTRY_END ENTRY_END
; after another 1900 seconds the domain must have timed out. ; after another 1900 seconds the domain must have timed out.