mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 05:28:00 +00:00
Code Issues Releases Wiki Activity

2743. [bug] RRSIG could be incorrectly sent in the NSEC3 record

Browse Source 
for a insecure delegation.
This commit is contained in:
Mark Andrews 2009-11-03 01:07:48 +00:00
parent 717a6020e6
commit 554d22d2de
2 changed files with 23 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES
View File

@ -1,3 +1,6 @@
2743. [bug] RRSIG could be incorrectly sent in the NSEC3 record
for a insecure delegation.
--- 9.7.0b2 released --- --- 9.7.0b2 released ---
2742. [cleanup] Clarify some DNSSEC-related log messages in 2742. [cleanup] Clarify some DNSSEC-related log messages in

25
lib/dns/nsec3.c
View File

@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: nsec3.c,v 1.10 2009/10/08 23:48:10 tbox Exp $ */ /* $Id: nsec3.c,v 1.11 2009/11/03 01:07:48 marka Exp $ */
#include <config.h> #include <config.h>
@ -88,6 +88,8 @@ dns_nsec3_buildrdata(dns_db_t *db, dns_dbversion_t *version,
unsigned int i, window; unsigned int i, window;
int octet; int octet;
isc_boolean_t found; isc_boolean_t found;
isc_boolean_t found_ns;
isc_boolean_t need_rrsig;
unsigned char *nsec_bits, *bm; unsigned char *nsec_bits, *bm;
unsigned int max_type; unsigned int max_type;
@ -141,7 +143,7 @@ dns_nsec3_buildrdata(dns_db_t *db, dns_dbversion_t *version,
result = dns_db_allrdatasets(db, node, version, 0, &rdsiter); result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
if (result != ISC_R_SUCCESS) if (result != ISC_R_SUCCESS)
return (result); return (result);
found = ISC_FALSE; found = found_ns = need_rrsig = ISC_FALSE;
for (result = dns_rdatasetiter_first(rdsiter); for (result = dns_rdatasetiter_first(rdsiter);
result == ISC_R_SUCCESS; result == ISC_R_SUCCESS;
result = dns_rdatasetiter_next(rdsiter)) result = dns_rdatasetiter_next(rdsiter))
@ -153,13 +155,26 @@ dns_nsec3_buildrdata(dns_db_t *db, dns_dbversion_t *version,
if (rdataset.type > max_type) if (rdataset.type > max_type)
max_type = rdataset.type; max_type = rdataset.type;
set_bit(bm, rdataset.type, 1); set_bit(bm, rdataset.type, 1);
/* Don't set RRSIG for insecure delegation. */ /*
if (rdataset.type != dns_rdatatype_ns) * Work out if we need to set the RRSIG bit for
* this node. We set the RRSIG bit if either of
* the following conditions are met:
* 1) We have a SOA or DS then we need to set
* the RRSIG bit as both always will be signed.
* 2) We set the RRSIG bit if we don't have
* a NS record but do have other data.
*/
if (rdataset.type == dns_rdatatype_soa ||
rdataset.type == dns_rdatatype_ds)
need_rrsig = ISC_TRUE;
else if (rdataset.type == dns_rdatatype_ns)
found_ns = ISC_TRUE;
else
found = ISC_TRUE; found = ISC_TRUE;
} }
dns_rdataset_disassociate(&rdataset); dns_rdataset_disassociate(&rdataset);
} }
if (found) { if ((found && !found_ns) || need_rrsig) {
if (dns_rdatatype_rrsig > max_type) if (dns_rdatatype_rrsig > max_type)
max_type = dns_rdatatype_rrsig; max_type = dns_rdatatype_rrsig;
set_bit(bm, dns_rdatatype_rrsig, 1); set_bit(bm, dns_rdatatype_rrsig, 1);