summaryrefslogtreecommitdiff
path: root/rules
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2016-01-15 18:18:54 +0100
committerLennart Poettering <lennart@poettering.net>2016-01-17 20:47:46 +0100
commitc3f7000e611b2c08052aca6db47245e77c008ae6 (patch)
tree64094689b3d4b2264d59bc67715e0b943d3560d0 /rules
parentafc58cc2fb5841154fe036ee7a6e1c8a06bc5d29 (diff)
resolved: ignore invalid OPT RRs in incoming packets
This validates OPT RRs more rigorously, before honouring them: if we any of the following condition holds, we'll ignore them: a) Multiple OPT RRs in the same message b) OPT RR not owned by the root domain c) OPT RR in the wrong section (Belkin routers do this) d) OPT RR contain rfc6975 algorithm data (Belkin routers do this) e) OPT version is not 0 f) OPT payload doesn't add up with the lengths Note that d) may be an indication that the server just blindly copied OPT data from the response into the reply. RFC6975 data is only supposed to be included in queries, and we do so. It's not supposed to be included in responses (and the RFC is very clear on that). Hence if we get it back in a reply, then the server probably just copied the OPT RR.
Diffstat (limited to 'rules')
0 files changed, 0 insertions, 0 deletions