diff options
author | Simon Kelley <simon@thekelleys.org.uk> | 2015-01-12 23:16:56 +0000 |
---|---|---|
committer | Simon Kelley <simon@thekelleys.org.uk> | 2015-01-12 23:16:56 +0000 |
commit | 5e321739db381a1d7b5964d76e9c81471d2564c9 (patch) | |
tree | da7f5beb8241e8d0a7ad40ca7472efffa83df092 | |
parent | 9f79ee4ae34886c0319f06d8f162b81ef79d62fb (diff) | |
download | dnsmasq-5e321739db381a1d7b5964d76e9c81471d2564c9.tar.gz |
Don't answer from cache RRsets from wildcards, as we don't have NSECs.
-rw-r--r-- | src/dnssec.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/src/dnssec.c b/src/dnssec.c index afb3dca..d39ab85 100644 --- a/src/dnssec.c +++ b/src/dnssec.c @@ -1818,11 +1818,14 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch struct blockdata *key; struct crec *crecp; char *wildname; + int have_wildcard = 0; rc = validate_rrset(now, header, plen, class1, type1, name, keyname, &wildname, NULL, 0, 0, 0); if (rc == STAT_SECURE_WILDCARD) { + have_wildcard = 1; + /* An attacker replay a wildcard answer with a different answer and overlay a genuine RR. To prove this hasn't happened, the answer must prove that @@ -1913,7 +1916,11 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch p2 += 13; /* labels, orig_ttl, expiration, inception */ GETSHORT(keytag, p2); - if ((key = blockdata_alloc((char*)psave, rdlen2))) + /* We don't cache sigs for wildcard answers, because to reproduce the + answer from the cache will require one or more NSEC/NSEC3 records + which we don't cache. The lack of the RRSIG ensures that a query for + this RRset asking for a secure answer will always be forwarded. */ + if (!have_wildcard && (key = blockdata_alloc((char*)psave, rdlen2))) { if (!(crecp = cache_insert(name, &a, now, ttl, F_FORWARD | F_DNSKEY | F_DS))) blockdata_free(key); |