|
|
e20e41 |
From b09d07ee2aa891c5b8dd2469c4a73c9dd61e2384 Mon Sep 17 00:00:00 2001
|
|
|
e20e41 |
From: Simon Kelley <simon@thekelleys.org.uk>
|
|
|
e20e41 |
Date: Wed, 25 Oct 2017 17:48:19 +0100
|
|
|
e20e41 |
Subject: [PATCH 1/2] Fix caching logic for validated answers.
|
|
|
e20e41 |
|
|
|
e20e41 |
The current logic is naive in the case that there is more than
|
|
|
e20e41 |
one RRset in an answer (Typically, when a non-CNAME query is answered
|
|
|
e20e41 |
by one or more CNAME RRs, and then then an answer RRset.)
|
|
|
e20e41 |
|
|
|
e20e41 |
If all the RRsets validate, then they are cached and marked as validated,
|
|
|
e20e41 |
but if any RRset doesn't validate, then the AD flag is not set (good) and
|
|
|
e20e41 |
ALL the RRsets are cached marked as not validated.
|
|
|
e20e41 |
|
|
|
e20e41 |
This breaks when, eg, the answer contains a validated CNAME, pointing
|
|
|
e20e41 |
to a non-validated answer. A subsequent query for the CNAME without do
|
|
|
e20e41 |
will get an answer with the AD flag wrongly reset, and worse, the same
|
|
|
e20e41 |
query with do will get a cached answer without RRSIGS, rather than
|
|
|
e20e41 |
being forwarded.
|
|
|
e20e41 |
|
|
|
e20e41 |
The code now records the validation of individual RRsets and that
|
|
|
e20e41 |
is used to correctly set the "validated" bits in the cache entries.
|
|
|
e20e41 |
|
|
|
e20e41 |
(cherry picked from commit a6004d7f17687ac2455f724d0b57098c413f128d)
|
|
|
e20e41 |
---
|
|
|
e20e41 |
src/dnsmasq.c | 2 +
|
|
|
e20e41 |
src/dnsmasq.h | 5 +-
|
|
|
e20e41 |
src/dnssec.c | 174 +++++++++++++++++++++++++++++---------------------
|
|
|
e20e41 |
src/forward.c | 19 ++++--
|
|
|
e20e41 |
src/rfc1035.c | 58 ++++++++++++-----
|
|
|
e20e41 |
5 files changed, 162 insertions(+), 96 deletions(-)
|
|
|
e20e41 |
|
|
|
e20e41 |
diff --git a/src/dnsmasq.c b/src/dnsmasq.c
|
|
|
e20e41 |
index 50b2029..f3d2671 100644
|
|
|
e20e41 |
--- a/src/dnsmasq.c
|
|
|
e20e41 |
+++ b/src/dnsmasq.c
|
|
|
e20e41 |
@@ -118,6 +118,8 @@ int main (int argc, char **argv)
|
|
|
e20e41 |
daemon->namebuff = safe_malloc(MAXDNAME * 2);
|
|
|
e20e41 |
daemon->keyname = safe_malloc(MAXDNAME * 2);
|
|
|
e20e41 |
daemon->workspacename = safe_malloc(MAXDNAME * 2);
|
|
|
e20e41 |
+ /* one char flag per possible RR in answer section. */
|
|
|
e20e41 |
+ daemon->rr_status = safe_malloc(256);
|
|
|
e20e41 |
}
|
|
|
e20e41 |
#endif
|
|
|
e20e41 |
|
|
|
e20e41 |
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
|
|
|
e20e41 |
index 5a68162..89d138a 100644
|
|
|
e20e41 |
--- a/src/dnsmasq.h
|
|
|
e20e41 |
+++ b/src/dnsmasq.h
|
|
|
e20e41 |
@@ -1006,6 +1006,7 @@ extern struct daemon {
|
|
|
e20e41 |
#ifdef HAVE_DNSSEC
|
|
|
e20e41 |
char *keyname; /* MAXDNAME size buffer */
|
|
|
e20e41 |
char *workspacename; /* ditto */
|
|
|
e20e41 |
+ char *rr_status; /* 256 bytes as flags for individual RRs */
|
|
|
e20e41 |
#endif
|
|
|
e20e41 |
unsigned int local_answer, queries_forwarded, auth_answer;
|
|
|
e20e41 |
struct frec *frec_list;
|
|
|
e20e41 |
@@ -1118,7 +1119,7 @@ size_t setup_reply(struct dns_header *header, size_t qlen,
|
|
|
e20e41 |
unsigned long local_ttl);
|
|
|
e20e41 |
int extract_addresses(struct dns_header *header, size_t qlen, char *namebuff,
|
|
|
e20e41 |
time_t now, char **ipsets, int is_sign, int checkrebind,
|
|
|
e20e41 |
- int no_cache, int secure, int *doctored);
|
|
|
e20e41 |
+ int no_cache_dnssec, int secure, int *doctored, char *rr_status);
|
|
|
e20e41 |
size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
|
|
|
e20e41 |
struct in_addr local_addr, struct in_addr local_netmask,
|
|
|
e20e41 |
time_t now, int ad_reqd, int do_bit, int have_pseudoheader);
|
|
|
e20e41 |
@@ -1151,7 +1152,7 @@ size_t dnssec_generate_query(struct dns_header *header, unsigned char *end, char
|
|
|
e20e41 |
int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t n, char *name, char *keyname, int class);
|
|
|
e20e41 |
int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class);
|
|
|
e20e41 |
int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int *class,
|
|
|
e20e41 |
- int check_unsigned, int *neganswer, int *nons);
|
|
|
e20e41 |
+ int check_unsigned, int *neganswer, int *nons, char *rr_status);
|
|
|
e20e41 |
int dnskey_keytag(int alg, int flags, unsigned char *rdata, int rdlen);
|
|
|
e20e41 |
size_t filter_rrsigs(struct dns_header *header, size_t plen);
|
|
|
e20e41 |
unsigned char* hash_questions(struct dns_header *header, size_t plen, char *name);
|
|
|
e20e41 |
diff --git a/src/dnssec.c b/src/dnssec.c
|
|
|
e20e41 |
index f45c804..3121eb1 100644
|
|
|
e20e41 |
--- a/src/dnssec.c
|
|
|
e20e41 |
+++ b/src/dnssec.c
|
|
|
e20e41 |
@@ -1177,8 +1177,7 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
|
|
|
e20e41 |
if (qtype != T_DS || qclass != class)
|
|
|
e20e41 |
rc = STAT_BOGUS;
|
|
|
e20e41 |
else
|
|
|
e20e41 |
- rc = dnssec_validate_reply(now, header, plen, name, keyname, NULL, 0, &neganswer, &nons);
|
|
|
e20e41 |
- /* Note dnssec_validate_reply() will have cached positive answers */
|
|
|
e20e41 |
+ rc = dnssec_validate_reply(now, header, plen, name, keyname, NULL, 0, &neganswer, &nons, NULL);
|
|
|
e20e41 |
|
|
|
e20e41 |
if (rc == STAT_INSECURE)
|
|
|
e20e41 |
rc = STAT_BOGUS;
|
|
|
e20e41 |
@@ -1962,18 +1961,25 @@ static int zone_status(char *name, int class, char *keyname, time_t now)
|
|
|
e20e41 |
STAT_INSECURE at least one RRset not validated, because in unsigned zone.
|
|
|
e20e41 |
STAT_BOGUS signature is wrong, bad packet, no validation where there should be.
|
|
|
e20e41 |
STAT_NEED_KEY need DNSKEY to complete validation (name is returned in keyname, class in *class)
|
|
|
e20e41 |
- STAT_NEED_DS need DS to complete validation (name is returned in keyname)
|
|
|
e20e41 |
+ STAT_NEED_DS need DS to complete validation (name is returned in keyname)
|
|
|
e20e41 |
+
|
|
|
e20e41 |
+ If non-NULL, rr_status points to a char array which corressponds to the RRs in the
|
|
|
e20e41 |
+ answer section (only). This is set to 1 for each RR which is validated, and 0 for any which aren't.
|
|
|
e20e41 |
*/
|
|
|
e20e41 |
int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname,
|
|
|
e20e41 |
- int *class, int check_unsigned, int *neganswer, int *nons)
|
|
|
e20e41 |
+ int *class, int check_unsigned, int *neganswer, int *nons, char *rr_status)
|
|
|
e20e41 |
{
|
|
|
e20e41 |
static unsigned char **targets = NULL;
|
|
|
e20e41 |
static int target_sz = 0;
|
|
|
e20e41 |
|
|
|
e20e41 |
unsigned char *ans_start, *p1, *p2;
|
|
|
e20e41 |
- int type1, class1, rdlen1, type2, class2, rdlen2, qclass, qtype, targetidx;
|
|
|
e20e41 |
+ int type1, class1, rdlen1 = 0, type2, class2, rdlen2, qclass, qtype, targetidx;
|
|
|
e20e41 |
int i, j, rc;
|
|
|
e20e41 |
+ int secure = STAT_SECURE;
|
|
|
e20e41 |
|
|
|
e20e41 |
+ if (rr_status)
|
|
|
e20e41 |
+ memset(rr_status, 0, ntohs(header->ancount));
|
|
|
e20e41 |
+
|
|
|
e20e41 |
if (neganswer)
|
|
|
e20e41 |
*neganswer = 0;
|
|
|
e20e41 |
|
|
|
e20e41 |
@@ -2030,7 +2036,10 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
|
|
|
e20e41 |
|
|
|
e20e41 |
for (p1 = ans_start, i = 0; i < ntohs(header->ancount) + ntohs(header->nscount); i++)
|
|
|
e20e41 |
{
|
|
|
e20e41 |
- if (!extract_name(header, plen, &p1, name, 1, 10))
|
|
|
e20e41 |
+ if (i != 0 && !ADD_RDLEN(header, p1, plen, rdlen1))
|
|
|
e20e41 |
+ return STAT_BOGUS;
|
|
|
e20e41 |
+
|
|
|
e20e41 |
+ if (!extract_name(header, plen, &p1, name, 1, 10))
|
|
|
e20e41 |
return STAT_BOGUS; /* bad packet */
|
|
|
e20e41 |
|
|
|
e20e41 |
GETSHORT(type1, p1);
|
|
|
e20e41 |
@@ -2039,106 +2048,125 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
|
|
|
e20e41 |
GETSHORT(rdlen1, p1);
|
|
|
e20e41 |
|
|
|
e20e41 |
/* Don't try and validate RRSIGs! */
|
|
|
e20e41 |
- if (type1 != T_RRSIG)
|
|
|
e20e41 |
+ if (type1 == T_RRSIG)
|
|
|
e20e41 |
+ continue;
|
|
|
e20e41 |
+
|
|
|
e20e41 |
+ /* Check if we've done this RRset already */
|
|
|
e20e41 |
+ for (p2 = ans_start, j = 0; j < i; j++)
|
|
|
e20e41 |
{
|
|
|
e20e41 |
- /* Check if we've done this RRset already */
|
|
|
e20e41 |
- for (p2 = ans_start, j = 0; j < i; j++)
|
|
|
e20e41 |
- {
|
|
|
e20e41 |
- if (!(rc = extract_name(header, plen, &p2, name, 0, 10)))
|
|
|
e20e41 |
- return STAT_BOGUS; /* bad packet */
|
|
|
e20e41 |
-
|
|
|
e20e41 |
- GETSHORT(type2, p2);
|
|
|
e20e41 |
- GETSHORT(class2, p2);
|
|
|
e20e41 |
- p2 += 4; /* TTL */
|
|
|
e20e41 |
- GETSHORT(rdlen2, p2);
|
|
|
e20e41 |
-
|
|
|
e20e41 |
- if (type2 == type1 && class2 == class1 && rc == 1)
|
|
|
e20e41 |
- break; /* Done it before: name, type, class all match. */
|
|
|
e20e41 |
-
|
|
|
e20e41 |
- if (!ADD_RDLEN(header, p2, plen, rdlen2))
|
|
|
e20e41 |
- return STAT_BOGUS;
|
|
|
e20e41 |
- }
|
|
|
e20e41 |
+ if (!(rc = extract_name(header, plen, &p2, name, 0, 10)))
|
|
|
e20e41 |
+ return STAT_BOGUS; /* bad packet */
|
|
|
e20e41 |
+
|
|
|
e20e41 |
+ GETSHORT(type2, p2);
|
|
|
e20e41 |
+ GETSHORT(class2, p2);
|
|
|
e20e41 |
+ p2 += 4; /* TTL */
|
|
|
e20e41 |
+ GETSHORT(rdlen2, p2);
|
|
|
e20e41 |
+
|
|
|
e20e41 |
+ if (type2 == type1 && class2 == class1 && rc == 1)
|
|
|
e20e41 |
+ break; /* Done it before: name, type, class all match. */
|
|
|
e20e41 |
|
|
|
e20e41 |
+ if (!ADD_RDLEN(header, p2, plen, rdlen2))
|
|
|
e20e41 |
+ return STAT_BOGUS;
|
|
|
e20e41 |
+ }
|
|
|
e20e41 |
+
|
|
|
e20e41 |
+ if (j != i)
|
|
|
e20e41 |
+ {
|
|
|
e20e41 |
+ /* Done already: copy the validation status */
|
|
|
e20e41 |
+ if (rr_status && (i < ntohs(header->ancount)))
|
|
|
e20e41 |
+ rr_status[i] = rr_status[j];
|
|
|
e20e41 |
+ }
|
|
|
e20e41 |
+ else
|
|
|
e20e41 |
+ {
|
|
|
e20e41 |
/* Not done, validate now */
|
|
|
e20e41 |
- if (j == i)
|
|
|
e20e41 |
+ int sigcnt, rrcnt;
|
|
|
e20e41 |
+ char *wildname;
|
|
|
e20e41 |
+
|
|
|
e20e41 |
+ if (!explore_rrset(header, plen, class1, type1, name, keyname, &sigcnt, &rrcnt))
|
|
|
e20e41 |
+ return STAT_BOGUS;
|
|
|
e20e41 |
+
|
|
|
e20e41 |
+ /* No signatures for RRset. We can be configured to assume this is OK and return a INSECURE result. */
|
|
|
e20e41 |
+ if (sigcnt == 0)
|
|
|
e20e41 |
{
|
|
|
e20e41 |
- int sigcnt, rrcnt;
|
|
|
e20e41 |
- char *wildname;
|
|
|
e20e41 |
-
|
|
|
e20e41 |
- if (!explore_rrset(header, plen, class1, type1, name, keyname, &sigcnt, &rrcnt))
|
|
|
e20e41 |
- return STAT_BOGUS;
|
|
|
e20e41 |
-
|
|
|
e20e41 |
- /* No signatures for RRset. We can be configured to assume this is OK and return a INSECURE result. */
|
|
|
e20e41 |
- if (sigcnt == 0)
|
|
|
e20e41 |
+ if (check_unsigned)
|
|
|
e20e41 |
{
|
|
|
e20e41 |
- if (check_unsigned)
|
|
|
e20e41 |
- {
|
|
|
e20e41 |
- rc = zone_status(name, class1, keyname, now);
|
|
|
e20e41 |
- if (rc == STAT_SECURE)
|
|
|
e20e41 |
- rc = STAT_BOGUS;
|
|
|
e20e41 |
- if (class)
|
|
|
e20e41 |
- *class = class1; /* Class for NEED_DS or NEED_KEY */
|
|
|
e20e41 |
- }
|
|
|
e20e41 |
- else
|
|
|
e20e41 |
- rc = STAT_INSECURE;
|
|
|
e20e41 |
-
|
|
|
e20e41 |
- return rc;
|
|
|
e20e41 |
+ rc = zone_status(name, class1, keyname, now);
|
|
|
e20e41 |
+ if (rc == STAT_SECURE)
|
|
|
e20e41 |
+ rc = STAT_BOGUS;
|
|
|
e20e41 |
+ if (class)
|
|
|
e20e41 |
+ *class = class1; /* Class for NEED_DS or NEED_KEY */
|
|
|
e20e41 |
}
|
|
|
e20e41 |
+ else
|
|
|
e20e41 |
+ rc = STAT_INSECURE;
|
|
|
e20e41 |
|
|
|
e20e41 |
+ if (rc != STAT_INSECURE)
|
|
|
e20e41 |
+ return rc;
|
|
|
e20e41 |
+ }
|
|
|
e20e41 |
+ else
|
|
|
e20e41 |
+ {
|
|
|
e20e41 |
/* explore_rrset() gives us key name from sigs in keyname.
|
|
|
e20e41 |
Can't overwrite name here. */
|
|
|
e20e41 |
strcpy(daemon->workspacename, keyname);
|
|
|
e20e41 |
rc = zone_status(daemon->workspacename, class1, keyname, now);
|
|
|
e20e41 |
-
|
|
|
e20e41 |
- if (rc != STAT_SECURE)
|
|
|
e20e41 |
+
|
|
|
e20e41 |
+ if (rc == STAT_BOGUS || rc == STAT_NEED_KEY || rc == STAT_NEED_DS)
|
|
|
e20e41 |
{
|
|
|
e20e41 |
/* Zone is insecure, don't need to validate RRset */
|
|
|
e20e41 |
if (class)
|
|
|
e20e41 |
*class = class1; /* Class for NEED_DS or NEED_KEY */
|
|
|
e20e41 |
return rc;
|
|
|
e20e41 |
- }
|
|
|
e20e41 |
-
|
|
|
e20e41 |
- rc = validate_rrset(now, header, plen, class1, type1, sigcnt, rrcnt, name, keyname, &wildname, NULL, 0, 0, 0);
|
|
|
e20e41 |
+ }
|
|
|
e20e41 |
|
|
|
e20e41 |
- if (rc == STAT_BOGUS || rc == STAT_NEED_KEY || rc == STAT_NEED_DS)
|
|
|
e20e41 |
- {
|
|
|
e20e41 |
- if (class)
|
|
|
e20e41 |
- *class = class1; /* Class for DS or DNSKEY */
|
|
|
e20e41 |
- return rc;
|
|
|
e20e41 |
- }
|
|
|
e20e41 |
- else
|
|
|
e20e41 |
+ /* Zone is insecure, don't need to validate RRset */
|
|
|
e20e41 |
+ if (rc == STAT_SECURE)
|
|
|
e20e41 |
{
|
|
|
e20e41 |
+ rc = validate_rrset(now, header, plen, class1, type1, sigcnt,
|
|
|
e20e41 |
+ rrcnt, name, keyname, &wildname, NULL, 0, 0, 0);
|
|
|
e20e41 |
+
|
|
|
e20e41 |
+ if (rc == STAT_BOGUS || rc == STAT_NEED_KEY || rc == STAT_NEED_DS)
|
|
|
e20e41 |
+ {
|
|
|
e20e41 |
+ if (class)
|
|
|
e20e41 |
+ *class = class1; /* Class for DS or DNSKEY */
|
|
|
e20e41 |
+ return rc;
|
|
|
e20e41 |
+ }
|
|
|
e20e41 |
+
|
|
|
e20e41 |
/* rc is now STAT_SECURE or STAT_SECURE_WILDCARD */
|
|
|
e20e41 |
-
|
|
|
e20e41 |
+
|
|
|
e20e41 |
+ /* Note that RR is validated */
|
|
|
e20e41 |
+ if (rr_status && (i < ntohs(header->ancount)))
|
|
|
e20e41 |
+ rr_status[i] = 1;
|
|
|
e20e41 |
+
|
|
|
e20e41 |
/* Note if we've validated either the answer to the question
|
|
|
e20e41 |
or the target of a CNAME. Any not noted will need NSEC or
|
|
|
e20e41 |
to be in unsigned space. */
|
|
|
e20e41 |
-
|
|
|
e20e41 |
for (j = 0; j
|
|
|
e20e41 |
if ((p2 = targets[j]))
|
|
|
e20e41 |
{
|
|
|
e20e41 |
- if (!(rc = extract_name(header, plen, &p2, name, 0, 10)))
|
|
|
e20e41 |
+ int rc1;
|
|
|
e20e41 |
+ if (!(rc1 = extract_name(header, plen, &p2, name, 0, 10)))
|
|
|
e20e41 |
return STAT_BOGUS; /* bad packet */
|
|
|
e20e41 |
|
|
|
e20e41 |
- if (class1 == qclass && rc == 1 && (type1 == T_CNAME || type1 == qtype || qtype == T_ANY ))
|
|
|
e20e41 |
+ if (class1 == qclass && rc1 == 1 && (type1 == T_CNAME || type1 == qtype || qtype == T_ANY ))
|
|
|
e20e41 |
targets[j] = NULL;
|
|
|
e20e41 |
}
|
|
|
e20e41 |
-
|
|
|
e20e41 |
- /* An attacker replay a wildcard answer with a different
|
|
|
e20e41 |
- answer and overlay a genuine RR. To prove this
|
|
|
e20e41 |
- hasn't happened, the answer must prove that
|
|
|
e20e41 |
- the gennuine record doesn't exist. Check that here.
|
|
|
e20e41 |
- Note that we may not yet have validated the NSEC/NSEC3 RRsets.
|
|
|
e20e41 |
- That's not a problem since if the RRsets later fail
|
|
|
e20e41 |
- we'll return BOGUS then. */
|
|
|
e20e41 |
- if (rc == STAT_SECURE_WILDCARD && !prove_non_existence(header, plen, keyname, name, type1, class1, wildname, NULL))
|
|
|
e20e41 |
+
|
|
|
e20e41 |
+ /* An attacker replay a wildcard answer with a different
|
|
|
e20e41 |
+ answer and overlay a genuine RR. To prove this
|
|
|
e20e41 |
+ hasn't happened, the answer must prove that
|
|
|
e20e41 |
+ the genuine record doesn't exist. Check that here.
|
|
|
e20e41 |
+ Note that we may not yet have validated the NSEC/NSEC3 RRsets.
|
|
|
e20e41 |
+ That's not a problem since if the RRsets later fail
|
|
|
e20e41 |
+ we'll return BOGUS then. */
|
|
|
e20e41 |
+ if (rc == STAT_SECURE_WILDCARD &&
|
|
|
e20e41 |
+ !prove_non_existence(header, plen, keyname, name, type1, class1, wildname, NULL))
|
|
|
e20e41 |
return STAT_BOGUS;
|
|
|
e20e41 |
+
|
|
|
e20e41 |
+ rc = STAT_SECURE;
|
|
|
e20e41 |
}
|
|
|
e20e41 |
}
|
|
|
e20e41 |
}
|
|
|
e20e41 |
|
|
|
e20e41 |
- if (!ADD_RDLEN(header, p1, plen, rdlen1))
|
|
|
e20e41 |
- return STAT_BOGUS;
|
|
|
e20e41 |
+ if (rc == STAT_INSECURE)
|
|
|
e20e41 |
+ secure = STAT_INSECURE;
|
|
|
e20e41 |
}
|
|
|
e20e41 |
|
|
|
e20e41 |
/* OK, all the RRsets validate, now see if we have a missing answer or CNAME target. */
|
|
|
e20e41 |
@@ -2172,7 +2200,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
|
|
|
e20e41 |
}
|
|
|
e20e41 |
}
|
|
|
e20e41 |
|
|
|
e20e41 |
- return STAT_SECURE;
|
|
|
e20e41 |
+ return secure;
|
|
|
e20e41 |
}
|
|
|
e20e41 |
|
|
|
e20e41 |
|
|
|
e20e41 |
diff --git a/src/forward.c b/src/forward.c
|
|
|
e20e41 |
index a729c06..245c448 100644
|
|
|
e20e41 |
--- a/src/forward.c
|
|
|
e20e41 |
+++ b/src/forward.c
|
|
|
e20e41 |
@@ -561,7 +561,8 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
|
|
|
e20e41 |
char **sets = 0;
|
|
|
e20e41 |
int munged = 0, is_sign;
|
|
|
e20e41 |
size_t plen;
|
|
|
e20e41 |
-
|
|
|
e20e41 |
+ char *rr_status = NULL;
|
|
|
e20e41 |
+
|
|
|
e20e41 |
(void)ad_reqd;
|
|
|
e20e41 |
(void)do_bit;
|
|
|
e20e41 |
(void)bogusanswer;
|
|
|
e20e41 |
@@ -651,6 +652,11 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
|
|
|
e20e41 |
server->flags |= SERV_WARNED_RECURSIVE;
|
|
|
e20e41 |
}
|
|
|
e20e41 |
|
|
|
e20e41 |
+#ifdef HAVE_DNSSEC
|
|
|
e20e41 |
+ if (option_bool(OPT_DNSSEC_VALID))
|
|
|
e20e41 |
+ rr_status = daemon->rr_status;
|
|
|
e20e41 |
+#endif
|
|
|
e20e41 |
+
|
|
|
e20e41 |
if (daemon->bogus_addr && RCODE(header) != NXDOMAIN &&
|
|
|
e20e41 |
check_for_bogus_wildcard(header, n, daemon->namebuff, daemon->bogus_addr, now))
|
|
|
e20e41 |
{
|
|
|
e20e41 |
@@ -676,7 +682,7 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
|
|
|
e20e41 |
cache_secure = 0;
|
|
|
e20e41 |
}
|
|
|
e20e41 |
|
|
|
e20e41 |
- if (extract_addresses(header, n, daemon->namebuff, now, sets, is_sign, check_rebind, no_cache, cache_secure, &doctored))
|
|
|
e20e41 |
+ if (extract_addresses(header, n, daemon->namebuff, now, sets, is_sign, check_rebind, no_cache, cache_secure, &doctored, rr_status))
|
|
|
e20e41 |
{
|
|
|
e20e41 |
my_syslog(LOG_WARNING, _("possible DNS-rebind attack detected: %s"), daemon->namebuff);
|
|
|
e20e41 |
munged = 1;
|
|
|
e20e41 |
@@ -856,7 +862,7 @@ void reply_query(int fd, int family, time_t now)
|
|
|
e20e41 |
if (forward->forwardall == 0 || --forward->forwardall == 1 || RCODE(header) != REFUSED)
|
|
|
e20e41 |
{
|
|
|
e20e41 |
int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0;
|
|
|
e20e41 |
-
|
|
|
e20e41 |
+
|
|
|
e20e41 |
if (option_bool(OPT_NO_REBIND))
|
|
|
e20e41 |
check_rebind = !(forward->flags & FREC_NOREBIND);
|
|
|
e20e41 |
|
|
|
e20e41 |
@@ -896,7 +902,8 @@ void reply_query(int fd, int family, time_t now)
|
|
|
e20e41 |
status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
|
|
|
e20e41 |
else
|
|
|
e20e41 |
status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class,
|
|
|
e20e41 |
- option_bool(OPT_DNSSEC_NO_SIGN), NULL, NULL);
|
|
|
e20e41 |
+ option_bool(OPT_DNSSEC_NO_SIGN) && (server->flags & SERV_DO_DNSSEC),
|
|
|
e20e41 |
+ NULL, NULL, daemon->rr_status);
|
|
|
e20e41 |
}
|
|
|
e20e41 |
|
|
|
e20e41 |
/* Can't validate, as we're missing key data. Put this
|
|
|
e20e41 |
@@ -1480,7 +1487,9 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
|
|
|
e20e41 |
else if (status == STAT_NEED_DS)
|
|
|
e20e41 |
new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
|
|
|
e20e41 |
else
|
|
|
e20e41 |
- new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, option_bool(OPT_DNSSEC_NO_SIGN), NULL, NULL);
|
|
|
e20e41 |
+ new_status = dnssec_validate_reply(now, header, n, name, keyname, &class,
|
|
|
e20e41 |
+ option_bool(OPT_DNSSEC_NO_SIGN) && (server->flags & SERV_DO_DNSSEC),
|
|
|
e20e41 |
+ NULL, NULL, daemon->rr_status);
|
|
|
e20e41 |
|
|
|
e20e41 |
if (new_status != STAT_NEED_DS && new_status != STAT_NEED_KEY)
|
|
|
e20e41 |
break;
|
|
|
e20e41 |
diff --git a/src/rfc1035.c b/src/rfc1035.c
|
|
|
e20e41 |
index f78b5cb..607412f 100644
|
|
|
e20e41 |
--- a/src/rfc1035.c
|
|
|
e20e41 |
+++ b/src/rfc1035.c
|
|
|
e20e41 |
@@ -571,7 +571,8 @@ static int find_soa(struct dns_header *header, size_t qlen, char *name, int *doc
|
|
|
e20e41 |
expired and cleaned out that way.
|
|
|
e20e41 |
Return 1 if we reject an address because it look like part of dns-rebinding attack. */
|
|
|
e20e41 |
int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t now,
|
|
|
e20e41 |
- char **ipsets, int is_sign, int check_rebind, int no_cache_dnssec, int secure, int *doctored)
|
|
|
e20e41 |
+ char **ipsets, int is_sign, int check_rebind, int no_cache_dnssec,
|
|
|
e20e41 |
+ int secure, int *doctored, char *rr_status)
|
|
|
e20e41 |
{
|
|
|
e20e41 |
unsigned char *p, *p1, *endrr, *namep;
|
|
|
e20e41 |
int i, j, qtype, qclass, aqtype, aqclass, ardlen, res, searched_soa = 0;
|
|
|
e20e41 |
@@ -582,6 +583,7 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
|
|
|
e20e41 |
#else
|
|
|
e20e41 |
(void)ipsets; /* unused */
|
|
|
e20e41 |
#endif
|
|
|
e20e41 |
+
|
|
|
e20e41 |
|
|
|
e20e41 |
cache_start_insert();
|
|
|
e20e41 |
|
|
|
e20e41 |
@@ -590,10 +592,16 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
|
|
|
e20e41 |
{
|
|
|
e20e41 |
searched_soa = 1;
|
|
|
e20e41 |
ttl = find_soa(header, qlen, name, doctored);
|
|
|
e20e41 |
-#ifdef HAVE_DNSSEC
|
|
|
e20e41 |
- if (*doctored && secure)
|
|
|
e20e41 |
- return 0;
|
|
|
e20e41 |
-#endif
|
|
|
e20e41 |
+
|
|
|
e20e41 |
+ if (*doctored)
|
|
|
e20e41 |
+ {
|
|
|
e20e41 |
+ if (secure)
|
|
|
e20e41 |
+ return 0;
|
|
|
e20e41 |
+ if (rr_status)
|
|
|
e20e41 |
+ for (i = 0; i < ntohs(header->ancount); i++)
|
|
|
e20e41 |
+ if (rr_status[i])
|
|
|
e20e41 |
+ return 0;
|
|
|
e20e41 |
+ }
|
|
|
e20e41 |
}
|
|
|
e20e41 |
|
|
|
e20e41 |
/* go through the questions. */
|
|
|
e20e41 |
@@ -604,7 +612,7 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
|
|
|
e20e41 |
int found = 0, cname_count = CNAME_CHAIN;
|
|
|
e20e41 |
struct crec *cpp = NULL;
|
|
|
e20e41 |
int flags = RCODE(header) == NXDOMAIN ? F_NXDOMAIN : 0;
|
|
|
e20e41 |
- int secflag = secure ? F_DNSSECOK : 0;
|
|
|
e20e41 |
+ int cname_short = 0;
|
|
|
e20e41 |
unsigned long cttl = ULONG_MAX, attl;
|
|
|
e20e41 |
|
|
|
e20e41 |
namep = p;
|
|
|
e20e41 |
@@ -632,8 +640,9 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
|
|
|
e20e41 |
if (!(p1 = skip_questions(header, qlen)))
|
|
|
e20e41 |
return 0;
|
|
|
e20e41 |
|
|
|
e20e41 |
- for (j = ntohs(header->ancount); j != 0; j--)
|
|
|
e20e41 |
+ for (j = 0; j < ntohs(header->ancount); j++)
|
|
|
e20e41 |
{
|
|
|
e20e41 |
+ int secflag = 0;
|
|
|
e20e41 |
unsigned char *tmp = namep;
|
|
|
e20e41 |
/* the loop body overwrites the original name, so get it back here. */
|
|
|
e20e41 |
if (!extract_name(header, qlen, &tmp, name, 1, 0) ||
|
|
|
e20e41 |
@@ -659,11 +668,21 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
|
|
|
e20e41 |
{
|
|
|
e20e41 |
if (!extract_name(header, qlen, &p1, name, 1, 0))
|
|
|
e20e41 |
return 0;
|
|
|
e20e41 |
-
|
|
|
e20e41 |
+
|
|
|
e20e41 |
+ if (rr_status && rr_status[j])
|
|
|
e20e41 |
+ {
|
|
|
e20e41 |
+ /* validated RR anywhere in CNAME chain, don't cache. */
|
|
|
e20e41 |
+ if (cname_short || aqtype == T_CNAME)
|
|
|
e20e41 |
+ return 0;
|
|
|
e20e41 |
+
|
|
|
e20e41 |
+ secflag = F_DNSSECOK;
|
|
|
e20e41 |
+ }
|
|
|
e20e41 |
+
|
|
|
e20e41 |
if (aqtype == T_CNAME)
|
|
|
e20e41 |
{
|
|
|
e20e41 |
- if (!cname_count-- || secure)
|
|
|
e20e41 |
- return 0; /* looped CNAMES, or DNSSEC, which we can't cache. */
|
|
|
e20e41 |
+ if (!cname_count--)
|
|
|
e20e41 |
+ return 0; /* looped CNAMES, we can't cache. */
|
|
|
e20e41 |
+ cname_short = 1;
|
|
|
e20e41 |
goto cname_loop;
|
|
|
e20e41 |
}
|
|
|
e20e41 |
|
|
|
e20e41 |
@@ -685,7 +704,7 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
|
|
|
e20e41 |
ttl = find_soa(header, qlen, NULL, doctored);
|
|
|
e20e41 |
}
|
|
|
e20e41 |
if (ttl)
|
|
|
e20e41 |
- cache_insert(NULL, &addr, now, ttl, name_encoding | F_REVERSE | F_NEG | flags | secflag);
|
|
|
e20e41 |
+ cache_insert(NULL, &addr, now, ttl, name_encoding | F_REVERSE | F_NEG | flags | (secure ? F_DNSSECOK : 0));
|
|
|
e20e41 |
}
|
|
|
e20e41 |
}
|
|
|
e20e41 |
else
|
|
|
e20e41 |
@@ -713,8 +732,10 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
|
|
|
e20e41 |
if (!(p1 = skip_questions(header, qlen)))
|
|
|
e20e41 |
return 0;
|
|
|
e20e41 |
|
|
|
e20e41 |
- for (j = ntohs(header->ancount); j != 0; j--)
|
|
|
e20e41 |
+ for (j = 0; j < ntohs(header->ancount); j++)
|
|
|
e20e41 |
{
|
|
|
e20e41 |
+ int secflag = 0;
|
|
|
e20e41 |
+
|
|
|
e20e41 |
if (!(res = extract_name(header, qlen, &p1, name, 0, 10)))
|
|
|
e20e41 |
return 0; /* bad packet */
|
|
|
e20e41 |
|
|
|
e20e41 |
@@ -731,6 +752,10 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
|
|
|
e20e41 |
|
|
|
e20e41 |
if (aqclass == C_IN && res != 2 && (aqtype == T_CNAME || aqtype == qtype))
|
|
|
e20e41 |
{
|
|
|
e20e41 |
+#ifdef HAVE_DNSSEC
|
|
|
e20e41 |
+ if (rr_status && rr_status[j])
|
|
|
e20e41 |
+ secflag = F_DNSSECOK;
|
|
|
e20e41 |
+#endif
|
|
|
e20e41 |
if (aqtype == T_CNAME)
|
|
|
e20e41 |
{
|
|
|
e20e41 |
if (!cname_count--)
|
|
|
e20e41 |
@@ -822,7 +847,7 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
|
|
|
e20e41 |
pointing at this, inherit its TTL */
|
|
|
e20e41 |
if (ttl || cpp)
|
|
|
e20e41 |
{
|
|
|
e20e41 |
- newc = cache_insert(name, NULL, now, ttl ? ttl : cttl, F_FORWARD | F_NEG | flags | secflag);
|
|
|
e20e41 |
+ newc = cache_insert(name, NULL, now, ttl ? ttl : cttl, F_FORWARD | F_NEG | flags | (secure ? F_DNSSECOK : 0));
|
|
|
e20e41 |
if (newc && cpp)
|
|
|
e20e41 |
{
|
|
|
e20e41 |
cpp->addr.cname.target.cache = newc;
|
|
|
e20e41 |
@@ -937,7 +962,7 @@ int check_for_local_domain(char *name, time_t now)
|
|
|
e20e41 |
/* Note: the call to cache_find_by_name is intended to find any record which matches
|
|
|
e20e41 |
ie A, AAAA, CNAME. */
|
|
|
e20e41 |
|
|
|
e20e41 |
- if ((crecp = cache_find_by_name(NULL, name, now, F_IPV4 | F_IPV6 | F_CNAME |F_NO_RR)) &&
|
|
|
e20e41 |
+ if ((crecp = cache_find_by_name(NULL, name, now, F_IPV4 | F_IPV6 | F_CNAME | F_NO_RR)) &&
|
|
|
e20e41 |
(crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)))
|
|
|
e20e41 |
return 1;
|
|
|
e20e41 |
|
|
|
e20e41 |
@@ -1689,8 +1714,9 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
|
|
|
e20e41 |
|
|
|
e20e41 |
if (qtype == T_CNAME || qtype == T_ANY)
|
|
|
e20e41 |
{
|
|
|
e20e41 |
- if ((crecp = cache_find_by_name(NULL, name, now, F_CNAME)) &&
|
|
|
e20e41 |
- (qtype == T_CNAME || (crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG | (dryrun ? F_NO_RR : 0)))))
|
|
|
e20e41 |
+ if ((crecp = cache_find_by_name(NULL, name, now, F_CNAME | (dryrun ? F_NO_RR : 0))) &&
|
|
|
e20e41 |
+ (qtype == T_CNAME || (crecp->flags & F_CONFIG)) &&
|
|
|
e20e41 |
+ ((crecp->flags & F_CONFIG) || !do_bit || !(crecp->flags & F_DNSSECOK)))
|
|
|
e20e41 |
{
|
|
|
e20e41 |
if (!(crecp->flags & F_DNSSECOK))
|
|
|
e20e41 |
sec_data = 0;
|
|
|
e20e41 |
--
|
|
|
e20e41 |
2.20.1
|
|
|
e20e41 |
|