Commit 79d9931d authored by Marek Vavruša's avatar Marek Vavruša

lib/iterate: do not follow CNAME targets outside cut

this is a problem when both CNAME and the target are answered from the same NS (but different authority), but only the CNAME authority does DNSSEC. it’s probably legal, but it’s pretty stupid to do so
parent c6509ea9
......@@ -367,6 +367,10 @@ static int process_answer(knot_pkt_t *pkt, struct kr_request *req)
return state;
}
follow_cname_chain(&cname, rr, query);
/* Trust only CNAME targets in current cut. */
if (!knot_dname_in(query->zone_cut.name, cname)) {
break;
}
}
/* Make sure that this is an authoritative naswer (even with AA=0) for other layers */
......
......@@ -251,9 +251,12 @@ static int stash_answer(struct kr_query *qry, knot_pkt_t *pkt, map_t *stash, mm_
continue;
}
kr_rrmap_add(stash, rr, pool);
/* Follow CNAME chain */
/* Follow CNAME chain in current cut. */
if (rr->type == KNOT_RRTYPE_CNAME) {
cname = knot_cname_name(&rr->rrs);
if (!knot_dname_in(qry->zone_cut.name, cname)) {
break;
}
} else {
cname = qry->sname;
}
......
......@@ -87,6 +87,10 @@ static int validate_section(struct kr_query *qry, knot_pkt_t *answer,
if ((rr->type == KNOT_RRTYPE_NS) && (section_id == KNOT_AUTHORITY)) {
continue;
}
/* Only validate answers from current cut, records above the cut are stripped. */
if (section_id == KNOT_ANSWER && !knot_dname_in(qry->zone_cut.name, rr->owner)) {
continue;
}
ret = kr_rrmap_add(&stash, rr, pool);
if (ret != 0) {
goto fail;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment