|
|
578297 |
diff --git a/lib/dns/message.c b/lib/dns/message.c
|
|
|
578297 |
index 869d258..c1f9498 100644
|
|
|
578297 |
--- a/lib/dns/message.c
|
|
|
578297 |
+++ b/lib/dns/message.c
|
|
|
578297 |
@@ -1150,6 +1150,63 @@ update(dns_section_t section, dns_rdataclass_t rdclass) {
|
|
|
578297 |
return (ISC_FALSE);
|
|
|
578297 |
}
|
|
|
578297 |
|
|
|
578297 |
+/*
|
|
|
578297 |
+ * Check to confirm that all DNSSEC records (DS, NSEC, NSEC3) have
|
|
|
578297 |
+ * covering RRSIGs.
|
|
|
578297 |
+ */
|
|
|
578297 |
+static isc_boolean_t
|
|
|
578297 |
+auth_signed(dns_namelist_t *section) {
|
|
|
578297 |
+ dns_name_t *name;
|
|
|
578297 |
+
|
|
|
578297 |
+ for (name = ISC_LIST_HEAD(*section);
|
|
|
578297 |
+ name != NULL;
|
|
|
578297 |
+ name = ISC_LIST_NEXT(name, link))
|
|
|
578297 |
+ {
|
|
|
578297 |
+ int auth_dnssec = 0, auth_rrsig = 0;
|
|
|
578297 |
+ dns_rdataset_t *rds;
|
|
|
578297 |
+
|
|
|
578297 |
+ for (rds = ISC_LIST_HEAD(name->list);
|
|
|
578297 |
+ rds != NULL;
|
|
|
578297 |
+ rds = ISC_LIST_NEXT(rds, link))
|
|
|
578297 |
+ {
|
|
|
578297 |
+ switch (rds->type) {
|
|
|
578297 |
+ case dns_rdatatype_ds:
|
|
|
578297 |
+ auth_dnssec |= 0x1;
|
|
|
578297 |
+ break;
|
|
|
578297 |
+ case dns_rdatatype_nsec:
|
|
|
578297 |
+ auth_dnssec |= 0x2;
|
|
|
578297 |
+ break;
|
|
|
578297 |
+ case dns_rdatatype_nsec3:
|
|
|
578297 |
+ auth_dnssec |= 0x4;
|
|
|
578297 |
+ break;
|
|
|
578297 |
+ case dns_rdatatype_rrsig:
|
|
|
578297 |
+ break;
|
|
|
578297 |
+ default:
|
|
|
578297 |
+ continue;
|
|
|
578297 |
+ }
|
|
|
578297 |
+
|
|
|
578297 |
+ switch (rds->covers) {
|
|
|
578297 |
+ case dns_rdatatype_ds:
|
|
|
578297 |
+ auth_rrsig |= 0x1;
|
|
|
578297 |
+ break;
|
|
|
578297 |
+ case dns_rdatatype_nsec:
|
|
|
578297 |
+ auth_rrsig |= 0x2;
|
|
|
578297 |
+ break;
|
|
|
578297 |
+ case dns_rdatatype_nsec3:
|
|
|
578297 |
+ auth_rrsig |= 0x4;
|
|
|
578297 |
+ break;
|
|
|
578297 |
+ default:
|
|
|
578297 |
+ break;
|
|
|
578297 |
+ }
|
|
|
578297 |
+ }
|
|
|
578297 |
+
|
|
|
578297 |
+ if (auth_dnssec != auth_rrsig)
|
|
|
578297 |
+ return (ISC_FALSE);
|
|
|
578297 |
+ }
|
|
|
578297 |
+
|
|
|
578297 |
+ return (ISC_TRUE);
|
|
|
578297 |
+}
|
|
|
578297 |
+
|
|
|
578297 |
static isc_result_t
|
|
|
578297 |
getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
|
|
|
578297 |
dns_section_t sectionid, unsigned int options)
|
|
|
578297 |
@@ -1175,12 +1232,12 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
|
|
|
578297 |
best_effort = ISC_TF(options & DNS_MESSAGEPARSE_BESTEFFORT);
|
|
|
578297 |
seen_problem = ISC_FALSE;
|
|
|
578297 |
|
|
|
578297 |
+ section = &msg->sections[sectionid];
|
|
|
578297 |
+
|
|
|
578297 |
for (count = 0; count < msg->counts[sectionid]; count++) {
|
|
|
578297 |
int recstart = source->current;
|
|
|
578297 |
isc_boolean_t skip_name_search, skip_type_search;
|
|
|
578297 |
|
|
|
578297 |
- section = &msg->sections[sectionid];
|
|
|
578297 |
-
|
|
|
578297 |
skip_name_search = ISC_FALSE;
|
|
|
578297 |
skip_type_search = ISC_FALSE;
|
|
|
578297 |
free_rdataset = ISC_FALSE;
|
|
|
578297 |
@@ -1354,7 +1411,7 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
|
|
|
578297 |
goto cleanup;
|
|
|
578297 |
rdata->rdclass = rdclass;
|
|
|
578297 |
issigzero = ISC_FALSE;
|
|
|
578297 |
- if (rdtype == dns_rdatatype_rrsig &&
|
|
|
578297 |
+ if (rdtype == dns_rdatatype_rrsig &&
|
|
|
578297 |
rdata->flags == 0) {
|
|
|
578297 |
covers = dns_rdata_covers(rdata);
|
|
|
578297 |
if (covers == 0)
|
|
|
578297 |
@@ -1565,6 +1622,19 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
|
|
|
578297 |
INSIST(free_rdataset == ISC_FALSE);
|
|
|
578297 |
}
|
|
|
578297 |
|
|
|
578297 |
+ /*
|
|
|
578297 |
+ * If any of DS, NSEC or NSEC3 appeared in the
|
|
|
578297 |
+ * authority section of a query response without
|
|
|
578297 |
+ * a covering RRSIG, FORMERR
|
|
|
578297 |
+ */
|
|
|
578297 |
+ if (sectionid == DNS_SECTION_AUTHORITY &&
|
|
|
578297 |
+ msg->opcode == dns_opcode_query &&
|
|
|
578297 |
+ ((msg->flags & DNS_MESSAGEFLAG_QR) != 0) &&
|
|
|
578297 |
+ ((msg->flags & DNS_MESSAGEFLAG_TC) == 0) &&
|
|
|
578297 |
+ !preserve_order &&
|
|
|
578297 |
+ !auth_signed(section))
|
|
|
578297 |
+ DO_FORMERR;
|
|
|
578297 |
+
|
|
|
578297 |
if (seen_problem)
|
|
|
578297 |
return (DNS_R_RECOVERABLE);
|
|
|
578297 |
return (ISC_R_SUCCESS);
|
|
|
578297 |
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
|
|
|
578297 |
index 2bc4461..e5600a3 100644
|
|
|
578297 |
--- a/lib/dns/resolver.c
|
|
|
578297 |
+++ b/lib/dns/resolver.c
|
|
|
578297 |
@@ -5194,13 +5194,9 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
|
|
|
578297 |
rdataset->type,
|
|
|
578297 |
&noqname);
|
|
|
578297 |
if (tresult == ISC_R_SUCCESS &&
|
|
|
578297 |
- noqname != NULL) {
|
|
|
578297 |
- tresult =
|
|
|
578297 |
- dns_rdataset_addnoqname(
|
|
|
578297 |
+ noqname != NULL)
|
|
|
578297 |
+ (void) dns_rdataset_addnoqname(
|
|
|
578297 |
rdataset, noqname);
|
|
|
578297 |
- RUNTIME_CHECK(tresult ==
|
|
|
578297 |
- ISC_R_SUCCESS);
|
|
|
578297 |
- }
|
|
|
578297 |
}
|
|
|
578297 |
addedrdataset = ardataset;
|
|
|
578297 |
result = dns_db_addrdataset(fctx->cache, node,
|
|
|
578297 |
@@ -5330,11 +5326,9 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
|
|
|
578297 |
tresult = findnoqname(fctx, name,
|
|
|
578297 |
rdataset->type, &noqname);
|
|
|
578297 |
if (tresult == ISC_R_SUCCESS &&
|
|
|
578297 |
- noqname != NULL) {
|
|
|
578297 |
- tresult = dns_rdataset_addnoqname(
|
|
|
578297 |
- rdataset, noqname);
|
|
|
578297 |
- RUNTIME_CHECK(tresult == ISC_R_SUCCESS);
|
|
|
578297 |
- }
|
|
|
578297 |
+ noqname != NULL)
|
|
|
578297 |
+ (void) dns_rdataset_addnoqname(
|
|
|
578297 |
+ rdataset, noqname);
|
|
|
578297 |
}
|
|
|
578297 |
|
|
|
578297 |
/*
|