mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-01 15:05:23 +00:00
Code Issues Releases Wiki Activity

Require local KEYs for SIG(0) verification

Browse Source 
This is additional hardening. There is no known use-case for KEY RRs
from DNS cache and it potentially allows attackers to put weird keys
into cache.
This commit is contained in:
Petr Špaček
2024-06-04 18:41:44 +02:00
committed by Nicki Křížek
parent d69fab1530
commit 9370acd3a7
1 changed files with 1 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
lib/dns/message.c
View File

@@ -3323,11 +3323,9 @@ dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
0, false, &keyset, NULL); 0, false, &keyset, NULL);
if (result != ISC_R_SUCCESS) { if (result != ISC_R_SUCCESS) {
/* XXXBEW Should possibly create a fetch here */
result = DNS_R_KEYUNAUTHORIZED; result = DNS_R_KEYUNAUTHORIZED;
goto freesig; goto freesig;
} else if (keyset.trust < dns_trust_secure) { } else if (keyset.trust < dns_trust_ultimate) {
/* XXXBEW Should call a validator here */
result = DNS_R_KEYUNAUTHORIZED; result = DNS_R_KEYUNAUTHORIZED;
goto freesig; goto freesig;
} }