resolved: refuse validating wildcard RRs for SOA, NSEC3, DNAME

author: Lennart Poettering <lennart@poettering.net> 2016-01-13 02:29:31 +0100
committer: Lennart Poettering <lennart@poettering.net> 2016-01-13 20:21:57 +0100
commit: e8233bce196a14fa3ebde2969594fcdfa4404e19 (patch)
tree: 96c31f230e85cc595a7e3375169607cd3f76c0b2 /src/resolve/resolved-dns-dnssec.c
parent: 7160eb1b867a4bc64522287352fbe2a6aa687d2a (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
index a18ae56b9e..6f0f8f837e 100644
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@@ -548,6 +548,11 @@ int dnssec_verify_rrset(
         r = dns_name_suffix(DNS_RESOURCE_KEY_NAME(key), rrsig->rrsig.labels, &source);
         if (r < 0)
                 return r;
+        if (r > 0 && !dns_type_may_wildcard(rrsig->rrsig.type_covered)) {
+                /* We refuse to validate NSEC3 or SOA RRs that are synthesized from wildcards */
+                *result = DNSSEC_INVALID;
+                return 0;
+        }
         if (r == 1) {
                 /* If we stripped a single label, then let's see if that maybe was "*". If so, we are not really
                  * synthesized from a wildcard, we are the wildcard itself. Treat that like a normal name. */
author	Lennart Poettering <lennart@poettering.net>	2016-01-13 02:29:31 +0100
committer	Lennart Poettering <lennart@poettering.net>	2016-01-13 20:21:57 +0100
commit	e8233bce196a14fa3ebde2969594fcdfa4404e19 (patch)
tree	96c31f230e85cc595a7e3375169607cd3f76c0b2 /src/resolve/resolved-dns-dnssec.c
parent	7160eb1b867a4bc64522287352fbe2a6aa687d2a (diff)