diff options
author | Lennart Poettering <lennart@poettering.net> | 2016-01-13 02:29:31 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2016-01-13 20:21:57 +0100 |
commit | e8233bce196a14fa3ebde2969594fcdfa4404e19 (patch) | |
tree | 96c31f230e85cc595a7e3375169607cd3f76c0b2 | |
parent | 7160eb1b867a4bc64522287352fbe2a6aa687d2a (diff) |
resolved: refuse validating wildcard RRs for SOA, NSEC3, DNAME
-rw-r--r-- | src/resolve/dns-type.c | 15 | ||||
-rw-r--r-- | src/resolve/dns-type.h | 1 | ||||
-rw-r--r-- | src/resolve/resolved-dns-dnssec.c | 5 |
3 files changed, 21 insertions, 0 deletions
diff --git a/src/resolve/dns-type.c b/src/resolve/dns-type.c index fb8228048d..47a37fa0a7 100644 --- a/src/resolve/dns-type.c +++ b/src/resolve/dns-type.c @@ -120,6 +120,21 @@ bool dns_type_may_redirect(uint16_t type) { DNS_TYPE_KEY); } +bool dns_type_may_wildcard(uint16_t type) { + + /* The following records may not be expanded from wildcard RRsets */ + + if (dns_type_is_pseudo(type)) + return false; + + return !IN_SET(type, + DNS_TYPE_NSEC3, + DNS_TYPE_SOA, + + /* Prohibited by https://tools.ietf.org/html/rfc4592#section-4.4 */ + DNS_TYPE_DNAME); +} + bool dns_type_is_dnssec(uint16_t type) { return IN_SET(type, DNS_TYPE_DS, diff --git a/src/resolve/dns-type.h b/src/resolve/dns-type.h index 45080fd243..747bc854e1 100644 --- a/src/resolve/dns-type.h +++ b/src/resolve/dns-type.h @@ -131,6 +131,7 @@ bool dns_type_is_valid_rr(uint16_t type); bool dns_type_may_redirect(uint16_t type); bool dns_type_is_dnssec(uint16_t type); bool dns_type_is_obsolete(uint16_t type); +bool dns_type_may_wildcard(uint16_t type); bool dns_class_is_pseudo(uint16_t class); bool dns_class_is_valid_rr(uint16_t class); diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c index a18ae56b9e..6f0f8f837e 100644 --- a/src/resolve/resolved-dns-dnssec.c +++ b/src/resolve/resolved-dns-dnssec.c @@ -548,6 +548,11 @@ int dnssec_verify_rrset( r = dns_name_suffix(DNS_RESOURCE_KEY_NAME(key), rrsig->rrsig.labels, &source); if (r < 0) return r; + if (r > 0 && !dns_type_may_wildcard(rrsig->rrsig.type_covered)) { + /* We refuse to validate NSEC3 or SOA RRs that are synthesized from wildcards */ + *result = DNSSEC_INVALID; + return 0; + } if (r == 1) { /* If we stripped a single label, then let's see if that maybe was "*". If so, we are not really * synthesized from a wildcard, we are the wildcard itself. Treat that like a normal name. */ |