summaryrefslogtreecommitdiff
path: root/src/resolve/resolved-dns-dnssec.c
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2016-01-14 18:14:43 +0100
committerLennart Poettering <lennart@poettering.net>2016-01-17 20:47:45 +0100
commit93a3b9294f7fa98ee10c66163f86cd0232728453 (patch)
treec316c03b77356844568ebf76b738893147c7e8a9 /src/resolve/resolved-dns-dnssec.c
parent97c67192eadaffe67b803ec5b991a92bb1137d0b (diff)
resolved: be stricter when using NSEC3
We can user signer and synthesizing source information to check that the NSEC3 RRs we want to use are actually reasonable and properly signed.
Diffstat (limited to 'src/resolve/resolved-dns-dnssec.c')
-rw-r--r--src/resolve/resolved-dns-dnssec.c9
1 files changed, 8 insertions, 1 deletions
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
index 37fc3150f0..2202daafc0 100644
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@@ -1157,7 +1157,6 @@ int dnssec_verify_dnskey_search(DnsResourceRecord *dnskey, DnsAnswer *validated_
if (ds->key->type != DNS_TYPE_DS)
continue;
-
if (ds->key->class != dnskey->key->class)
continue;
@@ -1286,6 +1285,13 @@ static int nsec3_is_good(DnsResourceRecord *rr, DnsResourceRecord *nsec3) {
if (rr->nsec3.iterations > NSEC3_ITERATIONS_MAX)
return 0;
+ /* Ignore NSEC3 RRs generated from wildcards */
+ if (rr->n_skip_labels_source != 0)
+ return 0;
+ /* Ignore NSEC3 RRs that are located anywhere else than one label below the zone */
+ if (rr->n_skip_labels_signer != 1)
+ return 0;
+
if (!nsec3)
return 1;
@@ -1319,6 +1325,7 @@ static int nsec3_is_good(DnsResourceRecord *rr, DnsResourceRecord *nsec3) {
if (r == 0)
return 0;
+ /* Make sure both have the same parent */
return dns_name_equal(a, b);
}