summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2016-01-13 02:29:31 +0100
committerLennart Poettering <lennart@poettering.net>2016-01-13 20:21:57 +0100
commite8233bce196a14fa3ebde2969594fcdfa4404e19 (patch)
tree96c31f230e85cc595a7e3375169607cd3f76c0b2 /src
parent7160eb1b867a4bc64522287352fbe2a6aa687d2a (diff)
resolved: refuse validating wildcard RRs for SOA, NSEC3, DNAME
Diffstat (limited to 'src')
-rw-r--r--src/resolve/dns-type.c15
-rw-r--r--src/resolve/dns-type.h1
-rw-r--r--src/resolve/resolved-dns-dnssec.c5
3 files changed, 21 insertions, 0 deletions
diff --git a/src/resolve/dns-type.c b/src/resolve/dns-type.c
index fb8228048d..47a37fa0a7 100644
--- a/src/resolve/dns-type.c
+++ b/src/resolve/dns-type.c
@@ -120,6 +120,21 @@ bool dns_type_may_redirect(uint16_t type) {
DNS_TYPE_KEY);
}
+bool dns_type_may_wildcard(uint16_t type) {
+
+ /* The following records may not be expanded from wildcard RRsets */
+
+ if (dns_type_is_pseudo(type))
+ return false;
+
+ return !IN_SET(type,
+ DNS_TYPE_NSEC3,
+ DNS_TYPE_SOA,
+
+ /* Prohibited by https://tools.ietf.org/html/rfc4592#section-4.4 */
+ DNS_TYPE_DNAME);
+}
+
bool dns_type_is_dnssec(uint16_t type) {
return IN_SET(type,
DNS_TYPE_DS,
diff --git a/src/resolve/dns-type.h b/src/resolve/dns-type.h
index 45080fd243..747bc854e1 100644
--- a/src/resolve/dns-type.h
+++ b/src/resolve/dns-type.h
@@ -131,6 +131,7 @@ bool dns_type_is_valid_rr(uint16_t type);
bool dns_type_may_redirect(uint16_t type);
bool dns_type_is_dnssec(uint16_t type);
bool dns_type_is_obsolete(uint16_t type);
+bool dns_type_may_wildcard(uint16_t type);
bool dns_class_is_pseudo(uint16_t class);
bool dns_class_is_valid_rr(uint16_t class);
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
index a18ae56b9e..6f0f8f837e 100644
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@@ -548,6 +548,11 @@ int dnssec_verify_rrset(
r = dns_name_suffix(DNS_RESOURCE_KEY_NAME(key), rrsig->rrsig.labels, &source);
if (r < 0)
return r;
+ if (r > 0 && !dns_type_may_wildcard(rrsig->rrsig.type_covered)) {
+ /* We refuse to validate NSEC3 or SOA RRs that are synthesized from wildcards */
+ *result = DNSSEC_INVALID;
+ return 0;
+ }
if (r == 1) {
/* If we stripped a single label, then let's see if that maybe was "*". If so, we are not really
* synthesized from a wildcard, we are the wildcard itself. Treat that like a normal name. */