Commit 20f3b92a authored by Vladimír Čunát's avatar Vladimír Čunát

Merge !350: Release 1.3.3

parents 52242744 104ebee4
......@@ -30,8 +30,11 @@ test:linux:amd64:
deckard:linux:amd64:
stage: test
script:
- LC_ALL=C.UTF-8 add-apt-repository ppa:raphink/augeas -y
- apt-get install -y python-yaml python-augeas
- apt purge -y python-dnspython python3-dnspython
- apt update
- apt install python-pip libffi-dev libaugeas-dev -y
- pip install --upgrade pip
- pip install --user dnspython pyyaml python-augeas
- PREFIX=$(pwd)/.local MAKEFLAGS="--jobs $(nproc) --keep-going" make check-integration
dependencies:
- build:linux:amd64
......
Knot Resolver 1.3.3 (2017-0_-__)
Knot Resolver 1.3.3 (2017-08-09)
================================
Security
--------
- Fix a critical DNSSEC flaw. Signatures might be accepted as valid
even if the signed data was not in bailiwick of the DNSKEY used to
sign it, assuming the trust chain to that DNSKEY was valid.
Bugfixes
--------
- iterate: skip RRSIGs with bad label count instead of immediate SERVFAIL
......
# Project
MAJOR := 1
MINOR := 3
PATCH := 2
PATCH := 3
EXTRA :=
ABIVER := 3
BUILDMODE := dynamic
......
......@@ -147,6 +147,7 @@ The daemon also supports `systemd socket activation`_, it is automatically detec
To run the daemon by hand, such as under ``nohup``, use ``-f 1`` to start a single fork. For example:
.. code-block:: bash
$ nohup ./daemon/kresd -a 127.0.0.1 -f 1 &
......
......@@ -36,6 +36,10 @@
#include "lib/dnssec.h"
#include "lib/resolve.h"
/* forward */
static int kr_rrset_validate_with_key(kr_rrset_validation_ctx_t *vctx,
const knot_rrset_t *covered, size_t key_pos, const struct dseckey *key);
void kr_crypto_init(void)
{
dnssec_crypto_init();
......@@ -147,7 +151,16 @@ int kr_rrset_validate(kr_rrset_validation_ctx_t *vctx, const knot_rrset_t *cover
return kr_error(ENOENT);
}
int kr_rrset_validate_with_key(kr_rrset_validation_ctx_t *vctx,
/**
* Validate RRSet using a specific key.
* @param vctx Pointer to validation context.
* @param covered RRSet covered by a signature. It must be in canonical format.
* @param key_pos Position of the key to be validated with.
* @param key Key to be used to validate.
* If NULL, then key from DNSKEY RRSet is used.
* @return 0 or error code, same as vctx->result.
*/
static int kr_rrset_validate_with_key(kr_rrset_validation_ctx_t *vctx,
const knot_rrset_t *covered,
size_t key_pos, const struct dseckey *key)
{
......@@ -157,6 +170,14 @@ int kr_rrset_validate_with_key(kr_rrset_validation_ctx_t *vctx,
uint32_t timestamp = vctx->timestamp;
bool has_nsec3 = vctx->has_nsec3;
struct dseckey *created_key = NULL;
/* It's just caller's approximation that the RR is in that particular zone.
* We MUST guard against attempts of zones signing out-of-bailiwick records. */
if (!knot_dname_in(zone_name, covered->owner)) {
vctx->result = kr_error(ENOENT);
return vctx->result;
}
if (key == NULL) {
const knot_rdata_t *krr = knot_rdataset_at(&keys->rrs, key_pos);
int ret = kr_dnssec_key_from_rdata(&created_key, keys->owner,
......
......@@ -71,18 +71,6 @@ typedef struct kr_rrset_validation_ctx kr_rrset_validation_ctx_t;
int kr_rrset_validate(kr_rrset_validation_ctx_t *vctx,
const knot_rrset_t *covered);
/**
* Validate RRSet using a specific key.
* @param vctx Pointer to validation context.
* @param covered RRSet covered by a signature. It must be in canonical format.
* @param key_pos Position of the key to be validated with.
* @param key Key to be used to validate.
* If NULL, then key from DNSKEY RRSet is used.
* @return 0 or error code, same as vctx->result.
*/
int kr_rrset_validate_with_key(kr_rrset_validation_ctx_t *vctx,
const knot_rrset_t *covered,
size_t key_pos, const struct dseckey *key);
/**
* Check whether the DNSKEY rrset matches the supplied trust anchor RRSet.
* @param vctx Pointer to validation context.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment