Commit defe4a70 authored by Petr Špaček's avatar Petr Špaček

Merge branch 'marek/fix-servfails-for-root-ds' into 'master'

fixed validation of root DS

See merge request knot/knot-resolver!544
parents 8171aa26 3c2e9cfe
......@@ -2,6 +2,7 @@
Bugfixes
--------
- validation: fix SERVFAIL in case of CNAME to NXDOMAIN in a single zone
- validation: fix SERVFAIL for DS . query
Knot Resolver 2.2.0 (2018-03-28)
......
......@@ -324,7 +324,7 @@ int nsec1_encloser(struct key *k, struct answer *ans,
knot_nsec_bitmap(&nsec_rr->rrs, &bm, &bm_size);
if (exact_match) {
if (kr_nsec_bitmap_nodata_check(bm, bm_size, qry->stype) != 0) {
if (kr_nsec_bitmap_nodata_check(bm, bm_size, qry->stype, nsec_rr->owner) != 0) {
assert(bm);
VERBOSE_MSG(qry,
"=> NSEC sname: match but failed type check\n");
......@@ -489,7 +489,7 @@ int nsec1_src_synth(struct key *k, struct answer *ans, const knot_dname_t *clenc
}
/* The wildcard exists. Find if it's NODATA - check type bitmap. */
if (kr_nsec_bitmap_nodata_check(bm, bm_size, qry->stype) == 0) {
if (kr_nsec_bitmap_nodata_check(bm, bm_size, qry->stype, nsec_rr->owner) == 0) {
/* NODATA proven; just need to add SOA+RRSIG later */
WITH_VERBOSE(qry) {
const char *msg_start = "=> NSEC wildcard: match proved NODATA";
......
......@@ -258,10 +258,10 @@ static int coverign_rrsig_labels(const knot_rrset_t *nsec, const knot_pktsection
}
int kr_nsec_bitmap_nodata_check(const uint8_t *bm, uint16_t bm_size, uint16_t type)
int kr_nsec_bitmap_nodata_check(const uint8_t *bm, uint16_t bm_size, uint16_t type, const knot_dname_t *owner)
{
const int NO_PROOF = abs(ENOENT);
if (!bm) {
if (!bm || !owner) {
return kr_error(EINVAL);
}
if (kr_nsec_bitmap_contains_type(bm, bm_size, type)) {
......@@ -278,8 +278,10 @@ int kr_nsec_bitmap_nodata_check(const uint8_t *bm, uint16_t bm_size, uint16_t ty
/* Security feature: in case of DS also check for SOA
* non-existence to be more certain that we don't hold
* a child-side NSEC by some mistake (e.g. when forwarding).
* See RFC4035 5.2, next-to-last paragraph. */
if (kr_nsec_bitmap_contains_type(bm, bm_size, KNOT_RRTYPE_SOA)) {
* See RFC4035 5.2, next-to-last paragraph.
* This doesn't apply for root DS as it doesn't exist in DNS hierarchy.
*/
if (owner[0] != '\0' && kr_nsec_bitmap_contains_type(bm, bm_size, KNOT_RRTYPE_SOA)) {
return NO_PROOF;
}
break;
......@@ -318,7 +320,7 @@ static int no_data_response_check_rrtype(int *flags, const knot_rrset_t *nsec,
uint8_t *bm = NULL;
uint16_t bm_size = 0;
knot_nsec_bitmap(&nsec->rrs, &bm, &bm_size);
int ret = kr_nsec_bitmap_nodata_check(bm, bm_size, type);
int ret = kr_nsec_bitmap_nodata_check(bm, bm_size, type, nsec->owner);
if (ret == kr_ok()) {
*flags |= FLG_NOEXIST_RRTYPE;
}
......
......@@ -41,10 +41,11 @@ int kr_nsec_children_in_zone_check(const uint8_t *bm, uint16_t bm_size);
* @param bm Bitmap.
* @param bm_size Bitmap size.
* @param type RR type to check.
* @param owner NSEC record owner.
* @note This includes special checks for zone cuts, e.g. from RFC 6840 sec. 4.
* @return 0, abs(ENOENT) (no proof), kr_error(EINVAL)
*/
int kr_nsec_bitmap_nodata_check(const uint8_t *bm, uint16_t bm_size, uint16_t type);
int kr_nsec_bitmap_nodata_check(const uint8_t *bm, uint16_t bm_size, uint16_t type, const knot_dname_t *owner);
/**
* Name error response check (RFC4035 3.1.3.2; RFC4035 5.4, bullet 2).
......
......@@ -554,7 +554,7 @@ static int nodata_find(const knot_pkt_t *pkt, knot_section_t section_id,
uint8_t *bm = NULL;
uint16_t bm_size;
knot_nsec3_bitmap(&nsec3->rrs, 0, &bm, &bm_size);
if (kr_nsec_bitmap_nodata_check(bm, bm_size, type) == kr_ok()) {
if (kr_nsec_bitmap_nodata_check(bm, bm_size, type, nsec3->owner) == kr_ok()) {
return kr_ok();
}
}
......
......@@ -414,7 +414,7 @@ static int update_delegation(struct kr_request *req, struct kr_query *qry, knot_
} else if (ret != 0) {
VERBOSE_MSG(qry, "<= bogus proof of DS non-existence\n");
qry->flags.DNSSEC_BOGUS = true;
} else {
} else if (proved_name[0] != '\0') { /* don't go to insecure for . DS */
VERBOSE_MSG(qry, "<= DS doesn't exist, going insecure\n");
qry->flags.DNSSEC_NODS = true;
/* Rank the corresponding nonauth NS as insecure. */
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment