diff options
| author | Lennart Poettering <lennart@poettering.net> | 2016-01-05 01:35:28 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2016-01-05 01:35:28 +0100 |
| commit | d3760be01b120df8980c056ecc85a4229d660264 (patch) | |
| tree | ca9c2938ae603d2438e8c65a5c0c2885f0a8e3e7 /src/resolve/resolved-dns-transaction.c | |
| parent | 519d39deeeec7121649f28e7287b7790e50d2979 (diff) | |
resolved: when caching negative responses, honour NSEC/NSEC3 TTLs
When storing negative responses, clamp the SOA minimum TTL (as suggested
by RFC2308) to the TTL of the NSEC/NSEC3 RRs we used to prove
non-existance, if it there is any.
This is necessary since otherwise an attacker might put together a faked
negative response for one of our question including a high-ttl SOA RR
for any parent zone, and we'd use trust the TTL.
Diffstat (limited to 'src/resolve/resolved-dns-transaction.c')
| -rw-r--r-- | src/resolve/resolved-dns-transaction.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c index 677d643463..870b7586fd 100644 --- a/src/resolve/resolved-dns-transaction.c +++ b/src/resolve/resolved-dns-transaction.c @@ -40,6 +40,7 @@ static void dns_transaction_reset_answer(DnsTransaction *t) { t->answer_dnssec_result = _DNSSEC_RESULT_INVALID; t->answer_source = _DNS_TRANSACTION_SOURCE_INVALID; t->answer_authenticated = false; + t->answer_nsec_ttl = (uint32_t) -1; } static void dns_transaction_close_connection(DnsTransaction *t) { @@ -157,6 +158,7 @@ int dns_transaction_new(DnsTransaction **ret, DnsScope *s, DnsResourceKey *key) t->dns_udp_fd = -1; t->answer_source = _DNS_TRANSACTION_SOURCE_INVALID; t->answer_dnssec_result = _DNSSEC_RESULT_INVALID; + t->answer_nsec_ttl = (uint32_t) -1; t->key = dns_resource_key_ref(key); /* Find a fresh, unused transaction id */ @@ -482,6 +484,7 @@ static void dns_transaction_cache_answer(DnsTransaction *t) { t->answer_rcode, t->answer, t->answer_authenticated, + t->answer_nsec_ttl, 0, t->received->family, &t->received->sender); @@ -2385,7 +2388,7 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) { bool authenticated = false; /* Bummer! Let's check NSEC/NSEC3 */ - r = dnssec_test_nsec(t->answer, t->key, &nr, &authenticated); + r = dnssec_test_nsec(t->answer, t->key, &nr, &authenticated, &t->answer_nsec_ttl); if (r < 0) return r; |