3348. [security] prevent RRSIG data from being cached if a negative

record matching the covering type exists at a higher trust level. Such data already can't be retrieved from the cache since change 3218 -- this prevents it being inserted into the cache as well.
2025-08-29 13:38:26 +00:00 · 2012-07-09 12:51:11 -05:00 · 2012-07-09 12:51:11 -05:00 · ad7fdba1ed
commit ad7fdba1ed
parent e124c83f6b
2 changed files with 19 additions and 8 deletions
--- a/6
+++ b/6
@ -1,3 +1,9 @@
+3348.	[security]	prevent RRSIG data from being cached if a negative 
+			record matching the covering type exists at a higher 
+			trust level. Such data already can't be retrieved from 
+			the cache since change 3218 -- this prevents it 
+			being inserted into the cache as well.
+			
 3347.	[bug]		dnssec-settime: Issue a warning when writing a new 
 			private key file would cause a change in the 
 			permissions of the existing file. [RT #27724]
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@ -6040,13 +6040,12 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 	negtype = 0;
 	if (rbtversion == NULL && !newheader_nx) {
 		rdtype = RBTDB_RDATATYPE_BASE(newheader->type);
+		covers = RBTDB_RDATATYPE_EXT(newheader->type);
+		sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, covers);
 		if (NEGATIVE(newheader)) {
 			/*
 			 * We're adding a negative cache entry.
 			 */
-			covers = RBTDB_RDATATYPE_EXT(newheader->type);
-			sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig,
-							covers);
 			for (topheader = rbtnode->data;
 			     topheader != NULL;
 			     topheader = topheader->next) {
@ -6077,14 +6076,20 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 			 * We're adding something that isn't a
 			 * negative cache entry.  Look for an extant
 			 * non-stale NXDOMAIN/NODATA(QTYPE=ANY) negative
-			 * cache entry.
+			 * cache entry.  If we're adding an RRSIG, also
+			 * check for an extant non-stale NODATA ncache
+			 * entry which covers the same type as the RRSIG.
 			 */
 			for (topheader = rbtnode->data;
 			     topheader != NULL;
 			     topheader = topheader->next) {
-				if (topheader->type ==
-				    RBTDB_RDATATYPE_NCACHEANY)
-					break;
+				if ((topheader->type ==
+					RBTDB_RDATATYPE_NCACHEANY) ||
+					(newheader->type == sigtype &&
+					topheader->type ==
+					RBTDB_RDATATYPE_VALUE(0, covers))) {
+						break;
+					}
 			}
 			if (topheader != NULL && EXISTS(topheader) &&
 			    topheader->rdh_ttl > now) {
@ -6107,7 +6112,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 				}
 				/*
 				 * The new rdataset is better.  Expire the
-				 * NXDOMAIN/NODATA(QTYPE=ANY).
+				 * ncache entry.
 				 */
 				set_ttl(rbtdb, topheader, 0);
 				mark_stale_header(rbtdb, topheader);