diff options
author | Lennart Poettering <lennart@poettering.net> | 2016-01-15 18:18:54 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2016-01-17 20:47:46 +0100 |
commit | c3f7000e611b2c08052aca6db47245e77c008ae6 (patch) | |
tree | 64094689b3d4b2264d59bc67715e0b943d3560d0 /rules | |
parent | afc58cc2fb5841154fe036ee7a6e1c8a06bc5d29 (diff) |
resolved: ignore invalid OPT RRs in incoming packets
This validates OPT RRs more rigorously, before honouring them: if we any of the following condition holds, we'll ignore
them:
a) Multiple OPT RRs in the same message
b) OPT RR not owned by the root domain
c) OPT RR in the wrong section (Belkin routers do this)
d) OPT RR contain rfc6975 algorithm data (Belkin routers do this)
e) OPT version is not 0
f) OPT payload doesn't add up with the lengths
Note that d) may be an indication that the server just blindly copied OPT data from the response into the reply.
RFC6975 data is only supposed to be included in queries, and we do so. It's not supposed to be included in responses
(and the RFC is very clear on that). Hence if we get it back in a reply, then the server probably just copied the OPT
RR.
Diffstat (limited to 'rules')
0 files changed, 0 insertions, 0 deletions