From 09eaf68ce4e19a653ff25312e75c6e226b127fd6 Mon Sep 17 00:00:00 2001 From: Tom Gundersen Date: Wed, 25 Nov 2015 22:22:38 +0100 Subject: resolved: do not reject NSEC records with empty bitmaps The assumption that no NSEC bitmap could be empty due to the presence of the bit representing the record itself turns out to be flawed. See (the admittedly experimental) RFC4956 for a counter example. --- src/resolve/resolved-dns-packet.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) (limited to 'src/resolve') diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c index 472486777c..4b6b6afae8 100644 --- a/src/resolve/resolved-dns-packet.c +++ b/src/resolve/resolved-dns-packet.c @@ -1746,12 +1746,9 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, size_t *start) { if (r < 0) goto fail; - /* The types bitmap must contain at least the NSEC record itself, so an empty bitmap means - something went wrong */ - if (bitmap_isclear(rr->nsec.types)) { - r = -EBADMSG; - goto fail; - } + /* We accept empty NSEC bitmaps. The bit indicating the presence of the NSEC record itself + * is redundant and in e.g., RFC4956 this fact is used to define a use for NSEC records + * without the NSEC bit set. */ break; -- cgit v1.2.3-54-g00ecf From 95d46fcaa4f27bc5e675e8de39ab3acc4732e39b Mon Sep 17 00:00:00 2001 From: Tom Gundersen Date: Thu, 26 Nov 2015 03:58:08 +0100 Subject: resolved: bus - follow CNAME chains when resolving addresses It may be unexpected to find a CNAME record when doing a reverse lookup, as we expect to find a PTR record directly. However, it is explicitly supported according to , and there seems to be no benefit to not supporting it. --- src/resolve/resolved-bus.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'src/resolve') diff --git a/src/resolve/resolved-bus.c b/src/resolve/resolved-bus.c index a43aa59cc0..da1b5014bf 100644 --- a/src/resolve/resolved-bus.c +++ b/src/resolve/resolved-bus.c @@ -298,7 +298,15 @@ static void bus_method_resolve_address_complete(DnsQuery *q) { goto finish; } - /* We don't process CNAME for PTR lookups. */ + r = dns_query_process_cname(q); + if (r == -ELOOP) { + r = sd_bus_reply_method_errorf(q->request, BUS_ERROR_CNAME_LOOP, "CNAME loop detected, or CNAME resolving disabled on '%s'", dns_question_name(q->question)); + goto finish; + } + if (r < 0) + goto finish; + if (r > 0) /* This was a cname, and the query was restarted. */ + return; r = sd_bus_message_new_method_return(q->request, &reply); if (r < 0) -- cgit v1.2.3-54-g00ecf