2092 lines
77 KiB
Diff
2092 lines
77 KiB
Diff
|
commit b2298dec2a9d3c1e7fe495460c14b34b1cf655cf
|
||
|
Author: Tomas Korbar <tkorbar@redhat.com>
|
||
|
Date: Tue Feb 20 13:39:09 2024 +0100
|
||
|
|
||
|
Fix CVE 2023-50387 and CVE 2023-50868
|
||
|
|
||
|
Add limits on the resources used to do DNSSEC validation.
|
||
|
DNSSEC introduces a potential CPU DoS, because a crafted domain
|
||
|
can force a validator to a large number of cryptographic
|
||
|
operations whilst attempting to do validation. When using TCP
|
||
|
transport a DNSKEY RRset contain thousands of members and any
|
||
|
RRset can have thousands of signatures. The potential number
|
||
|
of signature validations to follow the RFC for validation
|
||
|
for one RRset is the cross product of the keys and signatures,
|
||
|
so millions. In practice, the actual numbers are much lower,
|
||
|
so attacks can be mitigated by limiting the amount of
|
||
|
cryptographic "work" to a much lower amount. The actual
|
||
|
limits are number a signature validation fails per RRset(20),
|
||
|
number of signature validations and hash computations
|
||
|
per query(200), number of sub-queries to fetch DS and DNSKEY
|
||
|
RRsets per query(40), and the number of iterations in a
|
||
|
NSEC3 record(150). These values are sensible, but there is, as yet,
|
||
|
no standardisation on the values for a "conforming" domain, so a
|
||
|
new option --dnssec-limit is provided should they need to be altered.
|
||
|
The algorithm to validate DS records has also been altered to reduce
|
||
|
the maximum work from cross product of the number of DS records and
|
||
|
number of DNSKEYs to the cross product of the number of DS records
|
||
|
and supported DS digest types. As the number of DS digest types
|
||
|
is in single figures, this reduces the exposure.
|
||
|
|
||
|
Credit is due to Elias Heftrig, Haya Schulmann, Niklas Vogel,
|
||
|
and Michael Waidner from the German National Research Center for
|
||
|
Applied Cybersecurity ATHENE for finding this vulnerability.
|
||
|
|
||
|
CVE 2023-50387 and CVE 2023-50868 apply.
|
||
|
Note that the is a security vulnerablity only when DNSSEC validation
|
||
|
is enabled.
|
||
|
|
||
|
diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
|
||
|
index aaab1f5..8bb81b6 100644
|
||
|
--- a/man/dnsmasq.8
|
||
|
+++ b/man/dnsmasq.8
|
||
|
@@ -793,6 +793,15 @@ Authenticated Data bit correctly in all cases is not technically possible. If th
|
||
|
when using this option, then the cache should be disabled using --cache-size=0. In most cases, enabling DNSSEC validation
|
||
|
within dnsmasq is a better option. See --dnssec for details.
|
||
|
.TP
|
||
|
+.B --dnssec-limits=<limit>[,<limit>.......]
|
||
|
+Override the default resource limits applied to DNSSEC validation. Cryptographic operations are expensive and crafted domains
|
||
|
+can DoS a DNSSEC validator by forcing it to do hundreds of thousands of such operations. To avoid this, the dnsmasq validation code
|
||
|
+applies limits on how much work will be expended in validation. If any of the limits are exceeded, the validation will fail and the
|
||
|
+domain treated as BOGUS. There are four limits, in order(default values in parens): number a signature validation fails per RRset(20), number of signature validations and
|
||
|
+hash computations per query(200), number of sub-queries to fetch DS and DNSKEY RRsets per query(40), and the number of iterations in a NSEC3 record(150).
|
||
|
+The maximum values reached during validation are stored, and dumped as part of the stats generated by SIGUSR1. Supplying a limit value of 0 leaves the default in place, so
|
||
|
+\fB--dnssec-limits=0,0,20\fP sets the number of sub-queries to 20 whilst leaving the other limits at default values.
|
||
|
+.TP
|
||
|
.B --dnssec-debug
|
||
|
Set debugging mode for the DNSSEC validation, set the Checking Disabled bit on upstream queries,
|
||
|
and don't convert replies which do not validate to responses with
|
||
|
diff --git a/src/cache.c b/src/cache.c
|
||
|
index 4dbfdb4..7dc7646 100644
|
||
|
--- a/src/cache.c
|
||
|
+++ b/src/cache.c
|
||
|
@@ -714,7 +714,18 @@ void cache_end_insert(void)
|
||
|
if (daemon->pipe_to_parent != -1)
|
||
|
{
|
||
|
ssize_t m = -1;
|
||
|
+
|
||
|
+ read_write(daemon->pipe_to_parent, (unsigned char *)&m, sizeof(m), 0);
|
||
|
+
|
||
|
+#ifdef HAVE_DNSSEC
|
||
|
+ /* Sneak out possibly updated crypto HWM values. */
|
||
|
+ m = daemon->metrics[METRIC_CRYPTO_HWM];
|
||
|
read_write(daemon->pipe_to_parent, (unsigned char *)&m, sizeof(m), 0);
|
||
|
+ m = daemon->metrics[METRIC_SIG_FAIL_HWM];
|
||
|
+ read_write(daemon->pipe_to_parent, (unsigned char *)&m, sizeof(m), 0);
|
||
|
+ m = daemon->metrics[METRIC_WORK_HWM];
|
||
|
+ read_write(daemon->pipe_to_parent, (unsigned char *)&m, sizeof(m), 0);
|
||
|
+#endif
|
||
|
}
|
||
|
|
||
|
new_chain = NULL;
|
||
|
@@ -733,7 +744,7 @@ int cache_recv_insert(time_t now, int fd)
|
||
|
|
||
|
cache_start_insert();
|
||
|
|
||
|
- while(1)
|
||
|
+ while (1)
|
||
|
{
|
||
|
|
||
|
if (!read_write(fd, (unsigned char *)&m, sizeof(m), 1))
|
||
|
@@ -741,6 +752,21 @@ int cache_recv_insert(time_t now, int fd)
|
||
|
|
||
|
if (m == -1)
|
||
|
{
|
||
|
+#ifdef HAVE_DNSSEC
|
||
|
+ /* Sneak in possibly updated crypto HWM. */
|
||
|
+ if (!read_write(fd, (unsigned char *)&m, sizeof(m), 1))
|
||
|
+ return 0;
|
||
|
+ if (m > daemon->metrics[METRIC_CRYPTO_HWM])
|
||
|
+ daemon->metrics[METRIC_CRYPTO_HWM] = m;
|
||
|
+ if (!read_write(fd, (unsigned char *)&m, sizeof(m), 1))
|
||
|
+ return 0;
|
||
|
+ if (m > daemon->metrics[METRIC_SIG_FAIL_HWM])
|
||
|
+ daemon->metrics[METRIC_SIG_FAIL_HWM] = m;
|
||
|
+ if (!read_write(fd, (unsigned char *)&m, sizeof(m), 1))
|
||
|
+ return 0;
|
||
|
+ if (m > daemon->metrics[METRIC_WORK_HWM])
|
||
|
+ daemon->metrics[METRIC_WORK_HWM] = m;
|
||
|
+#endif
|
||
|
cache_end_insert();
|
||
|
return 1;
|
||
|
}
|
||
|
@@ -1681,6 +1707,11 @@ void dump_cache(time_t now)
|
||
|
#ifdef HAVE_AUTH
|
||
|
my_syslog(LOG_INFO, _("queries for authoritative zones %u"), daemon->metrics[METRIC_DNS_AUTH_ANSWERED]);
|
||
|
#endif
|
||
|
+#ifdef HAVE_DNSSEC
|
||
|
+ my_syslog(LOG_INFO, _("DNSSEC per-query subqueries HWM %u"), daemon->metrics[METRIC_WORK_HWM]);
|
||
|
+ my_syslog(LOG_INFO, _("DNSSEC per-query crypto work HWM %u"), daemon->metrics[METRIC_CRYPTO_HWM]);
|
||
|
+ my_syslog(LOG_INFO, _("DNSSEC per-RRSet signature fails HWM %u"), daemon->metrics[METRIC_SIG_FAIL_HWM]);
|
||
|
+#endif
|
||
|
|
||
|
blockdata_report();
|
||
|
|
||
|
diff --git a/src/config.h b/src/config.h
|
||
|
index 9a70036..388bdf0 100644
|
||
|
--- a/src/config.h
|
||
|
+++ b/src/config.h
|
||
|
@@ -22,7 +22,10 @@
|
||
|
#define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from /dnsflagday.net/2020 */
|
||
|
#define SAFE_PKTSZ 1280 /* "go anywhere" UDP packet size */
|
||
|
#define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */
|
||
|
-#define DNSSEC_WORK 50 /* Max number of queries to validate one question */
|
||
|
+#define DNSSEC_LIMIT_WORK 40 /* Max number of queries to validate one question */
|
||
|
+#define DNSSEC_LIMIT_SIG_FAIL 20 /* Number of signature that can fail to validate in one answer */
|
||
|
+#define DNSSEC_LIMIT_CRYPTO 200 /* max no. of crypto operations to validate one query. */
|
||
|
+#define DNSSEC_LIMIT_NSEC3_ITERS 150 /* Max. number if iterations allowed in NSEC3 record. */
|
||
|
#define TIMEOUT 10 /* drop UDP queries after TIMEOUT seconds */
|
||
|
#define FORWARD_TEST 50 /* try all servers every 50 queries */
|
||
|
#define FORWARD_TIME 20 /* or 20 seconds */
|
||
|
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
|
||
|
index c62c3d0..6fa2593 100644
|
||
|
--- a/src/dnsmasq.h
|
||
|
+++ b/src/dnsmasq.h
|
||
|
@@ -663,15 +663,30 @@ struct hostsfile {
|
||
|
|
||
|
|
||
|
/* DNSSEC status values. */
|
||
|
-#define STAT_SECURE 1
|
||
|
-#define STAT_INSECURE 2
|
||
|
-#define STAT_BOGUS 3
|
||
|
-#define STAT_NEED_DS 4
|
||
|
-#define STAT_NEED_KEY 5
|
||
|
-#define STAT_TRUNCATED 6
|
||
|
-#define STAT_SECURE_WILDCARD 7
|
||
|
-#define STAT_OK 8
|
||
|
-#define STAT_ABANDONED 9
|
||
|
+#define STAT_SECURE 0x10000
|
||
|
+#define STAT_INSECURE 0x20000
|
||
|
+#define STAT_BOGUS 0x30000
|
||
|
+#define STAT_NEED_DS 0x40000
|
||
|
+#define STAT_NEED_KEY 0x50000
|
||
|
+#define STAT_TRUNCATED 0x60000
|
||
|
+#define STAT_SECURE_WILDCARD 0x70000
|
||
|
+#define STAT_OK 0x80000
|
||
|
+#define STAT_ABANDONED 0x90000
|
||
|
+
|
||
|
+#define DNSSEC_FAIL_NYV 0x0001 /* key not yet valid */
|
||
|
+#define DNSSEC_FAIL_EXP 0x0002 /* key expired */
|
||
|
+#define DNSSEC_FAIL_INDET 0x0004 /* indetermined */
|
||
|
+#define DNSSEC_FAIL_NOKEYSUP 0x0008 /* no supported key algo. */
|
||
|
+#define DNSSEC_FAIL_NOSIG 0x0010 /* No RRsigs */
|
||
|
+#define DNSSEC_FAIL_NOZONE 0x0020 /* No Zone bit set */
|
||
|
+#define DNSSEC_FAIL_NONSEC 0x0040 /* No NSEC */
|
||
|
+#define DNSSEC_FAIL_NODSSUP 0x0080 /* no supported DS algo. */
|
||
|
+#define DNSSEC_FAIL_NOKEY 0x0100 /* no DNSKEY */
|
||
|
+#define DNSSEC_FAIL_NSEC3_ITERS 0x0200 /* too many iterations in NSEC3 */
|
||
|
+#define DNSSEC_FAIL_BADPACKET 0x0400 /* bad packet */
|
||
|
+#define DNSSEC_FAIL_WORK 0x0800 /* too much crypto */
|
||
|
+
|
||
|
+#define STAT_ISEQUAL(a, b) (((a) & 0xffff0000) == (b))
|
||
|
|
||
|
#define FREC_NOREBIND 1
|
||
|
#define FREC_CHECKING_DISABLED 2
|
||
|
@@ -704,7 +719,7 @@ struct frec {
|
||
|
time_t time;
|
||
|
unsigned char *hash[HASH_SIZE];
|
||
|
#ifdef HAVE_DNSSEC
|
||
|
- int class, work_counter;
|
||
|
+ int class, work_counter, validate_counter;
|
||
|
struct blockdata *stash; /* Saved reply, whilst we validate */
|
||
|
size_t stash_len;
|
||
|
struct frec *dependent; /* Query awaiting internally-generated DNSKEY or DS query */
|
||
|
@@ -741,6 +756,12 @@ struct frec {
|
||
|
#define LEASE_HAVE_HWADDR 128 /* Have set hwaddress */
|
||
|
#define LEASE_EXP_CHANGED 256 /* Lease expiry time changed */
|
||
|
|
||
|
+#define LIMIT_SIG_FAIL 0
|
||
|
+#define LIMIT_CRYPTO 1
|
||
|
+#define LIMIT_WORK 2
|
||
|
+#define LIMIT_NSEC3_ITERS 3
|
||
|
+#define LIMIT_MAX 4
|
||
|
+
|
||
|
struct dhcp_lease {
|
||
|
int clid_len; /* length of client identifier */
|
||
|
unsigned char *clid; /* clientid */
|
||
|
@@ -1127,6 +1148,7 @@ extern struct daemon {
|
||
|
int rr_status_sz;
|
||
|
int dnssec_no_time_check;
|
||
|
int back_to_the_future;
|
||
|
+ int limit[LIMIT_MAX];
|
||
|
#endif
|
||
|
struct frec *frec_list;
|
||
|
struct frec_src *free_frec_src;
|
||
|
@@ -1280,10 +1302,12 @@ int in_zone(struct auth_zone *zone, char *name, char **cut);
|
||
|
|
||
|
/* dnssec.c */
|
||
|
size_t dnssec_generate_query(struct dns_header *header, unsigned char *end, char *name, int class, int type, int edns_pktsz);
|
||
|
-int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class);
|
||
|
-int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class);
|
||
|
+int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, char *name,
|
||
|
+ char *keyname, int class, int *validate_count);
|
||
|
+int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char *name,
|
||
|
+ char *keyname, int class, int *validate_count);
|
||
|
int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int *class,
|
||
|
- int check_unsigned, int *neganswer, int *nons, int *nsec_ttl);
|
||
|
+ int check_unsigned, int *neganswer, int *nons, int *nsec_ttl, int *validate_count);
|
||
|
int dnskey_keytag(int alg, int flags, unsigned char *key, int keylen);
|
||
|
size_t filter_rrsigs(struct dns_header *header, size_t plen);
|
||
|
int setup_timestamp(void);
|
||
|
@@ -1680,7 +1704,7 @@ int do_poll(int timeout);
|
||
|
|
||
|
/* rrfilter.c */
|
||
|
size_t rrfilter(struct dns_header *header, size_t plen, int mode);
|
||
|
-u16 *rrfilter_desc(int type);
|
||
|
+short *rrfilter_desc(int type);
|
||
|
int expand_workspace(unsigned char ***wkspc, int *szp, int new);
|
||
|
|
||
|
/* edns0.c */
|
||
|
diff --git a/src/dnssec.c b/src/dnssec.c
|
||
|
index 3ee1e9e..e465bbd 100644
|
||
|
--- a/src/dnssec.c
|
||
|
+++ b/src/dnssec.c
|
||
|
@@ -1,5 +1,5 @@
|
||
|
/* dnssec.c is Copyright (c) 2012 Giovanni Bajo <rasky@develer.com>
|
||
|
- and Copyright (c) 2012-2020 Simon Kelley
|
||
|
+ and Copyright (c) 2012-2023 Simon Kelley
|
||
|
|
||
|
This program is free software; you can redistribute it and/or modify
|
||
|
it under the terms of the GNU General Public License as published by
|
||
|
@@ -215,14 +215,6 @@ static int is_check_date(unsigned long curtime)
|
||
|
return !daemon->dnssec_no_time_check;
|
||
|
}
|
||
|
|
||
|
-/* Check whether today/now is between date_start and date_end */
|
||
|
-static int check_date_range(unsigned long curtime, u32 date_start, u32 date_end)
|
||
|
-{
|
||
|
- /* We must explicitly check against wanted values, because of SERIAL_UNDEF */
|
||
|
- return serial_compare_32(curtime, date_start) == SERIAL_GT
|
||
|
- && serial_compare_32(curtime, date_end) == SERIAL_LT;
|
||
|
-}
|
||
|
-
|
||
|
/* Return bytes of canonicalised rrdata one by one.
|
||
|
Init state->ip with the RR, and state->end with the end of same.
|
||
|
Init state->op to NULL.
|
||
|
@@ -233,7 +225,7 @@ static int check_date_range(unsigned long curtime, u32 date_start, u32 date_end)
|
||
|
On returning 0, the end has been reached.
|
||
|
*/
|
||
|
struct rdata_state {
|
||
|
- u16 *desc;
|
||
|
+ short *desc;
|
||
|
size_t c;
|
||
|
unsigned char *end, *ip, *op;
|
||
|
char *buff;
|
||
|
@@ -254,7 +246,7 @@ static int get_rdata(struct dns_header *header, size_t plen, struct rdata_state
|
||
|
{
|
||
|
d = *(state->desc);
|
||
|
|
||
|
- if (d == (u16)-1)
|
||
|
+ if (d == -1)
|
||
|
{
|
||
|
/* all the bytes to the end. */
|
||
|
if ((state->c = state->end - state->ip) != 0)
|
||
|
@@ -302,7 +294,7 @@ static int get_rdata(struct dns_header *header, size_t plen, struct rdata_state
|
||
|
|
||
|
/* Bubble sort the RRset into the canonical order. */
|
||
|
|
||
|
-static int sort_rrset(struct dns_header *header, size_t plen, u16 *rr_desc, int rrsetidx,
|
||
|
+static int sort_rrset(struct dns_header *header, size_t plen, short *rr_desc, int rrsetidx,
|
||
|
unsigned char **rrset, char *buff1, char *buff2)
|
||
|
{
|
||
|
int swap, i, j;
|
||
|
@@ -339,7 +331,7 @@ static int sort_rrset(struct dns_header *header, size_t plen, u16 *rr_desc, int
|
||
|
is the identity function and we can compare
|
||
|
the RRs directly. If not we compare the
|
||
|
canonicalised RRs one byte at a time. */
|
||
|
- if (*rr_desc == (u16)-1)
|
||
|
+ if (*rr_desc == -1)
|
||
|
{
|
||
|
int rdmin = rdlen1 > rdlen2 ? rdlen2 : rdlen1;
|
||
|
int cmp = memcmp(state1.ip, state2.ip, rdmin);
|
||
|
@@ -507,12 +499,24 @@ static int explore_rrset(struct dns_header *header, size_t plen, int class, int
|
||
|
return 1;
|
||
|
}
|
||
|
|
||
|
+int dec_counter(int *counter, char *message)
|
||
|
+{
|
||
|
+ if ((*counter)-- == 0)
|
||
|
+ {
|
||
|
+ my_syslog(LOG_WARNING, "limit exceeded: %s", message ? message : _("per-query crypto work"));
|
||
|
+ return 1;
|
||
|
+ }
|
||
|
+
|
||
|
+ return 0;
|
||
|
+}
|
||
|
+
|
||
|
/* Validate a single RRset (class, type, name) in the supplied DNS reply
|
||
|
Return code:
|
||
|
STAT_SECURE if it validates.
|
||
|
STAT_SECURE_WILDCARD if it validates and is the result of wildcard expansion.
|
||
|
(In this case *wildcard_out points to the "body" of the wildcard within name.)
|
||
|
STAT_BOGUS signature is wrong, bad packet.
|
||
|
+ STAT_ABANDONED validation abandoned do to excess resource usage.
|
||
|
STAT_NEED_KEY need DNSKEY to complete validation (name is returned in keyname)
|
||
|
STAT_NEED_DS need DS to complete validation (name is returned in keyname)
|
||
|
|
||
|
@@ -527,14 +531,15 @@ static int explore_rrset(struct dns_header *header, size_t plen, int class, int
|
||
|
*/
|
||
|
static int validate_rrset(time_t now, struct dns_header *header, size_t plen, int class, int type, int sigidx, int rrsetidx,
|
||
|
char *name, char *keyname, char **wildcard_out, struct blockdata *key, int keylen,
|
||
|
- int algo_in, int keytag_in, unsigned long *ttl_out)
|
||
|
+ int algo_in, int keytag_in, unsigned long *ttl_out, int *validate_counter)
|
||
|
{
|
||
|
unsigned char *p;
|
||
|
- int rdlen, j, name_labels, algo, labels, key_tag;
|
||
|
+ int rdlen, j, name_labels, algo, labels, key_tag, sig_fail_cnt;
|
||
|
struct crec *crecp = NULL;
|
||
|
- u16 *rr_desc = rrfilter_desc(type);
|
||
|
+ short *rr_desc = rrfilter_desc(type);
|
||
|
u32 sig_expiration, sig_inception;
|
||
|
-
|
||
|
+ int failflags = DNSSEC_FAIL_NOSIG | DNSSEC_FAIL_NYV | DNSSEC_FAIL_EXP | DNSSEC_FAIL_NOKEYSUP;
|
||
|
+
|
||
|
unsigned long curtime = time(0);
|
||
|
int time_check = is_check_date(curtime);
|
||
|
|
||
|
@@ -549,7 +554,7 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
|
||
|
rrsetidx = sort_rrset(header, plen, rr_desc, rrsetidx, rrset, daemon->workspacename, keyname);
|
||
|
|
||
|
/* Now try all the sigs to try and find one which validates */
|
||
|
- for (j = 0; j <sigidx; j++)
|
||
|
+ for (sig_fail_cnt = daemon->limit[LIMIT_SIG_FAIL], j = 0; j <sigidx; j++)
|
||
|
{
|
||
|
unsigned char *psav, *sig, *digest;
|
||
|
int i, wire_len, sig_len;
|
||
|
@@ -557,6 +562,8 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
|
||
|
void *ctx;
|
||
|
char *name_start;
|
||
|
u32 nsigttl, ttl, orig_ttl;
|
||
|
+
|
||
|
+ failflags &= ~DNSSEC_FAIL_NOSIG;
|
||
|
|
||
|
p = sigs[j];
|
||
|
GETLONG(ttl, p);
|
||
|
@@ -574,12 +581,31 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
|
||
|
if (!extract_name(header, plen, &p, keyname, 1, 0))
|
||
|
return STAT_BOGUS;
|
||
|
|
||
|
- if ((time_check && !check_date_range(curtime, sig_inception, sig_expiration)) ||
|
||
|
- labels > name_labels ||
|
||
|
- !(hash = hash_find(algo_digest_name(algo))) ||
|
||
|
+ if (!time_check)
|
||
|
+ failflags &= ~(DNSSEC_FAIL_NYV | DNSSEC_FAIL_EXP);
|
||
|
+ else
|
||
|
+ {
|
||
|
+ /* We must explicitly check against wanted values, because of SERIAL_UNDEF */
|
||
|
+ if (serial_compare_32(curtime, sig_inception) == SERIAL_LT)
|
||
|
+ continue;
|
||
|
+ else
|
||
|
+ failflags &= ~DNSSEC_FAIL_NYV;
|
||
|
+
|
||
|
+ if (serial_compare_32(curtime, sig_expiration) == SERIAL_GT)
|
||
|
+ continue;
|
||
|
+ else
|
||
|
+ failflags &= ~DNSSEC_FAIL_EXP;
|
||
|
+ }
|
||
|
+
|
||
|
+ if (!(hash = hash_find(algo_digest_name(algo))))
|
||
|
+ continue;
|
||
|
+ else
|
||
|
+ failflags &= ~DNSSEC_FAIL_NOKEYSUP;
|
||
|
+
|
||
|
+ if (labels > name_labels ||
|
||
|
!hash_init(hash, &ctx, &digest))
|
||
|
continue;
|
||
|
-
|
||
|
+
|
||
|
/* OK, we have the signature record, see if the relevant DNSKEY is in the cache. */
|
||
|
if (!key && !(crecp = cache_find_by_name(NULL, keyname, now, F_DNSKEY)))
|
||
|
return STAT_NEED_KEY;
|
||
|
@@ -657,7 +683,7 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
|
||
|
|
||
|
If canonicalisation is not needed, a simple insertion into the hash works.
|
||
|
*/
|
||
|
- if (*rr_desc == (u16)-1)
|
||
|
+ if (*rr_desc == -1)
|
||
|
{
|
||
|
len = htons(rdlen);
|
||
|
hash->update(ctx, 2, (unsigned char *)&len);
|
||
|
@@ -710,13 +736,19 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
|
||
|
|
||
|
/* namebuff used for workspace above, restore to leave unchanged on exit */
|
||
|
p = (unsigned char*)(rrset[0]);
|
||
|
- extract_name(header, plen, &p, name, 1, 0);
|
||
|
+ if (!extract_name(header, plen, &p, name, 1, 0))
|
||
|
+ return STAT_BOGUS;
|
||
|
|
||
|
if (key)
|
||
|
{
|
||
|
- if (algo_in == algo && keytag_in == key_tag &&
|
||
|
- verify(key, keylen, sig, sig_len, digest, hash->digest_size, algo))
|
||
|
- return STAT_SECURE;
|
||
|
+ if (algo_in == algo && keytag_in == key_tag)
|
||
|
+ {
|
||
|
+ if (dec_counter(validate_counter, NULL))
|
||
|
+ return STAT_ABANDONED;
|
||
|
+
|
||
|
+ if (verify(key, keylen, sig, sig_len, digest, hash->digest_size, algo))
|
||
|
+ return STAT_SECURE;
|
||
|
+ }
|
||
|
}
|
||
|
else
|
||
|
{
|
||
|
@@ -724,13 +756,27 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
|
||
|
for (; crecp; crecp = cache_find_by_name(crecp, keyname, now, F_DNSKEY))
|
||
|
if (crecp->addr.key.algo == algo &&
|
||
|
crecp->addr.key.keytag == key_tag &&
|
||
|
- crecp->uid == (unsigned int)class &&
|
||
|
- verify(crecp->addr.key.keydata, crecp->addr.key.keylen, sig, sig_len, digest, hash->digest_size, algo))
|
||
|
- return (labels < name_labels) ? STAT_SECURE_WILDCARD : STAT_SECURE;
|
||
|
+ crecp->uid == (unsigned int)class)
|
||
|
+ {
|
||
|
+ if (dec_counter(validate_counter, NULL))
|
||
|
+ return STAT_ABANDONED;
|
||
|
+
|
||
|
+ if (verify(crecp->addr.key.keydata, crecp->addr.key.keylen, sig, sig_len, digest, hash->digest_size, algo))
|
||
|
+ return (labels < name_labels) ? STAT_SECURE_WILDCARD : STAT_SECURE;
|
||
|
+
|
||
|
+ /* An attacker can waste a lot of our CPU by setting up a giant DNSKEY RRSET full of failing
|
||
|
+ keys, all of which we have to try. Since many failing keys is not likely for
|
||
|
+ a legitimate domain, set a limit on how many can fail. */
|
||
|
+ if ((daemon->limit[LIMIT_SIG_FAIL] - (sig_fail_cnt + 1)) > (int)daemon->metrics[METRIC_SIG_FAIL_HWM])
|
||
|
+ daemon->metrics[METRIC_SIG_FAIL_HWM] = daemon->limit[LIMIT_SIG_FAIL] - (sig_fail_cnt + 1);
|
||
|
+ if (dec_counter(&sig_fail_cnt, _("per-RRSet signature fails")))
|
||
|
+ return STAT_ABANDONED;
|
||
|
+ }
|
||
|
}
|
||
|
}
|
||
|
|
||
|
- return STAT_BOGUS;
|
||
|
+ /* If we reach this point, no verifying key was found */
|
||
|
+ return STAT_BOGUS | failflags | DNSSEC_FAIL_NOKEY;
|
||
|
}
|
||
|
|
||
|
|
||
|
@@ -740,38 +786,45 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
|
||
|
STAT_OK Done, key(s) in cache.
|
||
|
STAT_BOGUS No DNSKEYs found, which can be validated with DS,
|
||
|
or self-sign for DNSKEY RRset is not valid, bad packet.
|
||
|
+ STAT_ABANDONED resource exhaustion.
|
||
|
STAT_NEED_DS DS records to validate a key not found, name in keyname
|
||
|
- STAT_NEED_KEY DNSKEY records to validate a key not found, name in keyname
|
||
|
*/
|
||
|
-int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class)
|
||
|
+int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, char *name,
|
||
|
+ char *keyname, int class, int *validate_counter)
|
||
|
{
|
||
|
- unsigned char *psave, *p = (unsigned char *)(header+1);
|
||
|
+ unsigned char *psave, *p = (unsigned char *)(header+1), *keyaddr;
|
||
|
struct crec *crecp, *recp1;
|
||
|
- int rc, j, qtype, qclass, rdlen, flags, algo, valid, keytag;
|
||
|
+ int rc, j, qtype, qclass, rdlen, flags, algo, keytag, sigcnt, rrcnt;
|
||
|
unsigned long ttl, sig_ttl;
|
||
|
- struct blockdata *key;
|
||
|
union all_addr a;
|
||
|
+ int failflags = DNSSEC_FAIL_NODSSUP | DNSSEC_FAIL_NOZONE;
|
||
|
+ char valid_digest[255];
|
||
|
+ static unsigned char **cached_digest;
|
||
|
+ static size_t cached_digest_size = 0;
|
||
|
|
||
|
- if (ntohs(header->qdcount) != 1 ||
|
||
|
- RCODE(header) == SERVFAIL || RCODE(header) == REFUSED ||
|
||
|
- !extract_name(header, plen, &p, name, 1, 4))
|
||
|
- return STAT_BOGUS;
|
||
|
+ if (ntohs(header->qdcount) != 1 || RCODE(header) != NOERROR || !extract_name(header, plen, &p, name, 1, 4))
|
||
|
+ return STAT_BOGUS | DNSSEC_FAIL_NOKEY;
|
||
|
|
||
|
GETSHORT(qtype, p);
|
||
|
GETSHORT(qclass, p);
|
||
|
|
||
|
- if (qtype != T_DNSKEY || qclass != class || ntohs(header->ancount) == 0)
|
||
|
- return STAT_BOGUS;
|
||
|
+ if (qtype != T_DNSKEY || qclass != class ||
|
||
|
+ !explore_rrset(header, plen, class, T_DNSKEY, name, keyname, &sigcnt, &rrcnt) ||
|
||
|
+ rrcnt == 0)
|
||
|
+ return STAT_BOGUS | DNSSEC_FAIL_NOKEY;
|
||
|
|
||
|
+ if (sigcnt == 0)
|
||
|
+ return STAT_BOGUS | DNSSEC_FAIL_NOSIG;
|
||
|
+
|
||
|
/* See if we have cached a DS record which validates this key */
|
||
|
if (!(crecp = cache_find_by_name(NULL, name, now, F_DS)))
|
||
|
{
|
||
|
strcpy(keyname, name);
|
||
|
return STAT_NEED_DS;
|
||
|
}
|
||
|
-
|
||
|
+
|
||
|
/* NOTE, we need to find ONE DNSKEY which matches the DS */
|
||
|
- for (valid = 0, j = ntohs(header->ancount); j != 0 && !valid; j--)
|
||
|
+ for (j = ntohs(header->ancount); j != 0; j--)
|
||
|
{
|
||
|
/* Ensure we have type, class TTL and length */
|
||
|
if (!(rc = extract_name(header, plen, &p, name, 0, 10)))
|
||
|
@@ -782,7 +835,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
|
||
|
GETLONG(ttl, p);
|
||
|
GETSHORT(rdlen, p);
|
||
|
|
||
|
- if (!CHECK_LEN(header, p, plen, rdlen) || rdlen < 4)
|
||
|
+ if (!CHECK_LEN(header, p, plen, rdlen))
|
||
|
return STAT_BOGUS; /* bad packet */
|
||
|
|
||
|
if (qclass != class || qtype != T_DNSKEY || rc == 2)
|
||
|
@@ -790,172 +843,230 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
|
||
|
p += rdlen;
|
||
|
continue;
|
||
|
}
|
||
|
-
|
||
|
+
|
||
|
+ if (rdlen < 5)
|
||
|
+ return STAT_BOGUS; /* min 1 byte key! */
|
||
|
+
|
||
|
psave = p;
|
||
|
|
||
|
GETSHORT(flags, p);
|
||
|
if (*p++ != 3)
|
||
|
- return STAT_BOGUS;
|
||
|
- algo = *p++;
|
||
|
- keytag = dnskey_keytag(algo, flags, p, rdlen - 4);
|
||
|
- key = NULL;
|
||
|
-
|
||
|
- /* key must have zone key flag set */
|
||
|
- if (flags & 0x100)
|
||
|
- key = blockdata_alloc((char*)p, rdlen - 4);
|
||
|
-
|
||
|
- p = psave;
|
||
|
-
|
||
|
- if (!ADD_RDLEN(header, p, plen, rdlen))
|
||
|
{
|
||
|
- if (key)
|
||
|
- blockdata_free(key);
|
||
|
- return STAT_BOGUS; /* bad packet */
|
||
|
+ p = psave + rdlen;
|
||
|
+ continue;
|
||
|
}
|
||
|
+ algo = *p++;
|
||
|
+ keyaddr = p;
|
||
|
+ keytag = dnskey_keytag(algo, flags, keyaddr, rdlen - 4);
|
||
|
+
|
||
|
+ p = psave + rdlen;
|
||
|
|
||
|
- /* No zone key flag or malloc failure */
|
||
|
- if (!key)
|
||
|
+ /* key must have zone key flag set */
|
||
|
+ if (!(flags & 0x100))
|
||
|
continue;
|
||
|
|
||
|
+ failflags &= ~DNSSEC_FAIL_NOZONE;
|
||
|
+
|
||
|
+ /* clear digest cache. */
|
||
|
+ memset(valid_digest, 0, sizeof(valid_digest));
|
||
|
+
|
||
|
for (recp1 = crecp; recp1; recp1 = cache_find_by_name(recp1, name, now, F_DS))
|
||
|
{
|
||
|
void *ctx;
|
||
|
unsigned char *digest, *ds_digest;
|
||
|
const struct nettle_hash *hash;
|
||
|
- int sigcnt, rrcnt;
|
||
|
+ int wire_len;
|
||
|
+
|
||
|
+ if ((recp1->flags & F_NEG) ||
|
||
|
+ recp1->addr.ds.algo != algo ||
|
||
|
+ recp1->addr.ds.keytag != keytag ||
|
||
|
+ recp1->uid != (unsigned int)class)
|
||
|
+ continue;
|
||
|
+
|
||
|
+ if (!(hash = hash_find(ds_digest_name(recp1->addr.ds.digest))))
|
||
|
+ continue;
|
||
|
+
|
||
|
+ failflags &= ~DNSSEC_FAIL_NODSSUP;
|
||
|
+
|
||
|
+ if (recp1->addr.ds.keylen != (int)hash->digest_size ||
|
||
|
+ !(ds_digest = blockdata_retrieve(recp1->addr.ds.keydata, recp1->addr.ds.keylen, NULL)))
|
||
|
+ continue;
|
||
|
|
||
|
- if (recp1->addr.ds.algo == algo &&
|
||
|
- recp1->addr.ds.keytag == keytag &&
|
||
|
- recp1->uid == (unsigned int)class &&
|
||
|
- (hash = hash_find(ds_digest_name(recp1->addr.ds.digest))) &&
|
||
|
- hash_init(hash, &ctx, &digest))
|
||
|
-
|
||
|
+ if (valid_digest[recp1->addr.ds.digest])
|
||
|
+ digest = cached_digest[recp1->addr.ds.digest];
|
||
|
+ else
|
||
|
{
|
||
|
- int wire_len = to_wire(name);
|
||
|
+ /* computing a hash is a unit of crypto work. */
|
||
|
+ if (dec_counter(validate_counter, NULL))
|
||
|
+ return STAT_ABANDONED;
|
||
|
+
|
||
|
+ if (!hash_init(hash, &ctx, &digest))
|
||
|
+ continue;
|
||
|
+
|
||
|
+ wire_len = to_wire(name);
|
||
|
|
||
|
/* Note that digest may be different between DSs, so
|
||
|
- we can't move this outside the loop. */
|
||
|
+ we can't move this outside the loop. We keep
|
||
|
+ copies of each digest we make for this key,
|
||
|
+ so maximum digest work is O(keys x digests_types)
|
||
|
+ rather then O(keys x DSs) */
|
||
|
hash->update(ctx, (unsigned int)wire_len, (unsigned char *)name);
|
||
|
hash->update(ctx, (unsigned int)rdlen, psave);
|
||
|
hash->digest(ctx, hash->digest_size, digest);
|
||
|
|
||
|
from_wire(name);
|
||
|
-
|
||
|
- if (!(recp1->flags & F_NEG) &&
|
||
|
- recp1->addr.ds.keylen == (int)hash->digest_size &&
|
||
|
- (ds_digest = blockdata_retrieve(recp1->addr.ds.keydata, recp1->addr.ds.keylen, NULL)) &&
|
||
|
- memcmp(ds_digest, digest, recp1->addr.ds.keylen) == 0 &&
|
||
|
- explore_rrset(header, plen, class, T_DNSKEY, name, keyname, &sigcnt, &rrcnt) &&
|
||
|
- sigcnt != 0 && rrcnt != 0 &&
|
||
|
- validate_rrset(now, header, plen, class, T_DNSKEY, sigcnt, rrcnt, name, keyname,
|
||
|
- NULL, key, rdlen - 4, algo, keytag, &sig_ttl) == STAT_SECURE)
|
||
|
+
|
||
|
+ if (recp1->addr.ds.digest >= cached_digest_size)
|
||
|
{
|
||
|
- valid = 1;
|
||
|
- break;
|
||
|
+ unsigned char **new;
|
||
|
+
|
||
|
+ /* whine_malloc zeros memory */
|
||
|
+ if ((new = whine_malloc((recp1->addr.ds.digest + 5) * sizeof(unsigned char *))))
|
||
|
+ {
|
||
|
+ if (cached_digest_size != 0)
|
||
|
+ {
|
||
|
+ memcpy(new, cached_digest, cached_digest_size * sizeof(unsigned char *));
|
||
|
+ free(cached_digest);
|
||
|
+ }
|
||
|
+
|
||
|
+ cached_digest_size = recp1->addr.ds.digest + 5;
|
||
|
+ cached_digest = new;
|
||
|
+ }
|
||
|
+ }
|
||
|
+
|
||
|
+ if (recp1->addr.ds.digest < cached_digest_size)
|
||
|
+ {
|
||
|
+ if (!cached_digest[recp1->addr.ds.digest])
|
||
|
+ cached_digest[recp1->addr.ds.digest] = whine_malloc(recp1->addr.ds.keylen);
|
||
|
+
|
||
|
+ if (cached_digest[recp1->addr.ds.digest])
|
||
|
+ {
|
||
|
+ memcpy(cached_digest[recp1->addr.ds.digest], digest, recp1->addr.ds.keylen);
|
||
|
+ valid_digest[recp1->addr.ds.digest] = 1;
|
||
|
+ }
|
||
|
}
|
||
|
}
|
||
|
- }
|
||
|
- blockdata_free(key);
|
||
|
- }
|
||
|
-
|
||
|
- if (valid)
|
||
|
- {
|
||
|
- /* DNSKEY RRset determined to be OK, now cache it. */
|
||
|
- cache_start_insert();
|
||
|
-
|
||
|
- p = skip_questions(header, plen);
|
||
|
-
|
||
|
- for (j = ntohs(header->ancount); j != 0; j--)
|
||
|
- {
|
||
|
- /* Ensure we have type, class TTL and length */
|
||
|
- if (!(rc = extract_name(header, plen, &p, name, 0, 10)))
|
||
|
- return STAT_BOGUS; /* bad packet */
|
||
|
|
||
|
- GETSHORT(qtype, p);
|
||
|
- GETSHORT(qclass, p);
|
||
|
- GETLONG(ttl, p);
|
||
|
- GETSHORT(rdlen, p);
|
||
|
-
|
||
|
- /* TTL may be limited by sig. */
|
||
|
- if (sig_ttl < ttl)
|
||
|
- ttl = sig_ttl;
|
||
|
-
|
||
|
- if (!CHECK_LEN(header, p, plen, rdlen))
|
||
|
- return STAT_BOGUS; /* bad packet */
|
||
|
-
|
||
|
- if (qclass == class && rc == 1)
|
||
|
+ if (memcmp(ds_digest, digest, recp1->addr.ds.keylen) == 0)
|
||
|
{
|
||
|
- psave = p;
|
||
|
+ /* Found the key validated by a DS record.
|
||
|
+ Now check the self-sig for the entire key RRset using that key.
|
||
|
+ Note that validate_rrset() will never return STAT_NEED_KEY here,
|
||
|
+ since we supply the key it will use as an argument. */
|
||
|
+ struct blockdata *key;
|
||
|
+
|
||
|
+ if (!(key = blockdata_alloc((char *)keyaddr, rdlen - 4)))
|
||
|
+ break;
|
||
|
+
|
||
|
+ rc = validate_rrset(now, header, plen, class, T_DNSKEY, sigcnt, rrcnt, name, keyname,
|
||
|
+ NULL, key, rdlen - 4, algo, keytag, &sig_ttl, validate_counter);
|
||
|
+
|
||
|
+ blockdata_free(key);
|
||
|
+
|
||
|
+ if (STAT_ISEQUAL(rc, STAT_ABANDONED))
|
||
|
+ return rc;
|
||
|
|
||
|
- if (qtype == T_DNSKEY)
|
||
|
+ /* can't validate KEY RRset with this key, see if there's another that
|
||
|
+ will, which is validated by another DS. */
|
||
|
+ if (!STAT_ISEQUAL(rc, STAT_SECURE))
|
||
|
+ break;
|
||
|
+
|
||
|
+ /* DNSKEY RRset determined to be OK, now cache it. */
|
||
|
+ cache_start_insert();
|
||
|
+
|
||
|
+ p = skip_questions(header, plen);
|
||
|
+
|
||
|
+ for (j = ntohs(header->ancount); j != 0; j--)
|
||
|
{
|
||
|
- if (rdlen < 4)
|
||
|
+ /* Ensure we have type, class TTL and length */
|
||
|
+ if (!(rc = extract_name(header, plen, &p, name, 0, 10)))
|
||
|
return STAT_BOGUS; /* bad packet */
|
||
|
|
||
|
- GETSHORT(flags, p);
|
||
|
- if (*p++ != 3)
|
||
|
- return STAT_BOGUS;
|
||
|
- algo = *p++;
|
||
|
- keytag = dnskey_keytag(algo, flags, p, rdlen - 4);
|
||
|
+ GETSHORT(qtype, p);
|
||
|
+ GETSHORT(qclass, p);
|
||
|
+ GETLONG(ttl, p);
|
||
|
+ GETSHORT(rdlen, p);
|
||
|
|
||
|
- if ((key = blockdata_alloc((char*)p, rdlen - 4)))
|
||
|
- {
|
||
|
- a.key.keylen = rdlen - 4;
|
||
|
- a.key.keydata = key;
|
||
|
- a.key.algo = algo;
|
||
|
- a.key.keytag = keytag;
|
||
|
- a.key.flags = flags;
|
||
|
-
|
||
|
- if (!cache_insert(name, &a, class, now, ttl, F_FORWARD | F_DNSKEY | F_DNSSECOK))
|
||
|
- {
|
||
|
- blockdata_free(key);
|
||
|
- return STAT_BOGUS;
|
||
|
- }
|
||
|
- else
|
||
|
- {
|
||
|
- a.log.keytag = keytag;
|
||
|
- a.log.algo = algo;
|
||
|
- if (algo_digest_name(algo))
|
||
|
- log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DNSKEY keytag %hu, algo %hu");
|
||
|
- else
|
||
|
- log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DNSKEY keytag %hu, algo %hu (not supported)");
|
||
|
- }
|
||
|
- }
|
||
|
+ /* TTL may be limited by sig. */
|
||
|
+ if (sig_ttl < ttl)
|
||
|
+ ttl = sig_ttl;
|
||
|
+
|
||
|
+ if (!CHECK_LEN(header, p, plen, rdlen))
|
||
|
+ return STAT_BOGUS; /* bad packet */
|
||
|
+
|
||
|
+ psave = p;
|
||
|
+
|
||
|
+ if (qclass == class && rc == 1 && qtype == T_DNSKEY)
|
||
|
+ {
|
||
|
+ if (rdlen < 4)
|
||
|
+ return STAT_BOGUS; /* min 1 byte key! */
|
||
|
+
|
||
|
+ GETSHORT(flags, p);
|
||
|
+ if (*p++ == 3)
|
||
|
+ {
|
||
|
+ algo = *p++;
|
||
|
+ keytag = dnskey_keytag(algo, flags, p, rdlen - 4);
|
||
|
+
|
||
|
+ if (!(key = blockdata_alloc((char*)p, rdlen - 4)))
|
||
|
+ return STAT_BOGUS;
|
||
|
+
|
||
|
+ a.key.keylen = rdlen - 4;
|
||
|
+ a.key.keydata = key;
|
||
|
+ a.key.algo = algo;
|
||
|
+ a.key.keytag = keytag;
|
||
|
+ a.key.flags = flags;
|
||
|
+
|
||
|
+ if (!cache_insert(name, &a, class, now, ttl, F_FORWARD | F_DNSKEY | F_DNSSECOK))
|
||
|
+ {
|
||
|
+ blockdata_free(key);
|
||
|
+ return STAT_BOGUS;
|
||
|
+ }
|
||
|
+
|
||
|
+ a.log.keytag = keytag;
|
||
|
+ a.log.algo = algo;
|
||
|
+ if (algo_digest_name(algo))
|
||
|
+ log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DNSKEY keytag %hu, algo %hu");
|
||
|
+ else
|
||
|
+ log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DNSKEY keytag %hu, algo %hu (not supported)");
|
||
|
+ }
|
||
|
+ }
|
||
|
+
|
||
|
+ p = psave + rdlen;
|
||
|
}
|
||
|
-
|
||
|
- p = psave;
|
||
|
+
|
||
|
+ /* commit cache insert. */
|
||
|
+ cache_end_insert();
|
||
|
+ return STAT_OK;
|
||
|
}
|
||
|
-
|
||
|
- if (!ADD_RDLEN(header, p, plen, rdlen))
|
||
|
- return STAT_BOGUS; /* bad packet */
|
||
|
}
|
||
|
-
|
||
|
- /* commit cache insert. */
|
||
|
- cache_end_insert();
|
||
|
- return STAT_OK;
|
||
|
}
|
||
|
-
|
||
|
+
|
||
|
log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "BOGUS DNSKEY");
|
||
|
- return STAT_BOGUS;
|
||
|
+ return STAT_BOGUS | failflags;
|
||
|
}
|
||
|
|
||
|
/* The DNS packet is expected to contain the answer to a DS query
|
||
|
- Put all DSs in the answer which are valid into the cache.
|
||
|
+ Put all DSs in the answer which are valid and have hash and signature algos
|
||
|
+ we support into the cache.
|
||
|
Also handles replies which prove that there's no DS at this location,
|
||
|
either because the zone is unsigned or this isn't a zone cut. These are
|
||
|
cached too.
|
||
|
+ If none of the DS's are for supported algos, treat the answer as if
|
||
|
+ it's a proof of no DS at this location. RFC4035 para 5.2.
|
||
|
return codes:
|
||
|
STAT_OK At least one valid DS found and in cache.
|
||
|
STAT_BOGUS no DS in reply or not signed, fails validation, bad packet.
|
||
|
STAT_NEED_KEY DNSKEY records to validate a DS not found, name in keyname
|
||
|
STAT_NEED_DS DS record needed.
|
||
|
+ STAT_ABANDONED resource exhaustion.
|
||
|
*/
|
||
|
|
||
|
-int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class)
|
||
|
+int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char *name,
|
||
|
+ char *keyname, int class, int *validate_counter)
|
||
|
{
|
||
|
unsigned char *p = (unsigned char *)(header+1);
|
||
|
- int qtype, qclass, rc, i, neganswer, nons, neg_ttl = 0;
|
||
|
- int aclass, atype, rdlen;
|
||
|
+ int qtype, qclass, rc, i, neganswer = 0, nons = 0, servfail = 0, neg_ttl = 0, found_supported = 0;
|
||
|
+ int aclass, atype, rdlen, flags;
|
||
|
unsigned long ttl;
|
||
|
union all_addr a;
|
||
|
|
||
|
@@ -967,38 +1078,51 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
|
||
|
GETSHORT(qclass, p);
|
||
|
|
||
|
if (qtype != T_DS || qclass != class)
|
||
|
- rc = STAT_BOGUS;
|
||
|
+ return STAT_BOGUS;
|
||
|
+
|
||
|
+ /* A SERVFAIL answer has been seen to a DS query not at start of authority,
|
||
|
+ so treat it as such and continue to search for a DS or proof of no existence
|
||
|
+ further down the tree. */
|
||
|
+ if (RCODE(header) == SERVFAIL)
|
||
|
+ servfail = neganswer = nons = 1;
|
||
|
else
|
||
|
- rc = dnssec_validate_reply(now, header, plen, name, keyname, NULL, 0, &neganswer, &nons, &neg_ttl);
|
||
|
-
|
||
|
- if (rc == STAT_INSECURE)
|
||
|
{
|
||
|
- my_syslog(LOG_WARNING, _("Insecure DS reply received for %s, check domain configuration and upstream DNS server DNSSEC support"), name);
|
||
|
- rc = STAT_BOGUS;
|
||
|
- }
|
||
|
+ rc = dnssec_validate_reply(now, header, plen, name, keyname, NULL, 0, &neganswer, &nons, &neg_ttl, validate_counter);
|
||
|
|
||
|
- p = (unsigned char *)(header+1);
|
||
|
- extract_name(header, plen, &p, name, 1, 4);
|
||
|
- p += 4; /* qtype, qclass */
|
||
|
+ if (STAT_ISEQUAL(rc, STAT_INSECURE))
|
||
|
+ {
|
||
|
+ my_syslog(LOG_WARNING, _("Insecure DS reply received for %s, check domain configuration and upstream DNS server DNSSEC support"), name);
|
||
|
+ log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "BOGUS DS - not secure");
|
||
|
+ return STAT_BOGUS | DNSSEC_FAIL_INDET;
|
||
|
+ }
|
||
|
+
|
||
|
+ p = (unsigned char *)(header+1);
|
||
|
+ if (!extract_name(header, plen, &p, name, 1, 4))
|
||
|
+ return STAT_BOGUS;
|
||
|
+
|
||
|
+ p += 4; /* qtype, qclass */
|
||
|
+
|
||
|
+ /* If the key needed to validate the DS is on the same domain as the DS, we'll
|
||
|
+ loop getting nowhere. Stop that now. This can happen of the DS answer comes
|
||
|
+ from the DS's zone, and not the parent zone. */
|
||
|
+ if (STAT_ISEQUAL(rc, STAT_NEED_KEY) && hostname_isequal(name, keyname))
|
||
|
+ {
|
||
|
+ log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "BOGUS DS");
|
||
|
+ return STAT_BOGUS;
|
||
|
+ }
|
||
|
|
||
|
- /* If the key needed to validate the DS is on the same domain as the DS, we'll
|
||
|
- loop getting nowhere. Stop that now. This can happen of the DS answer comes
|
||
|
- from the DS's zone, and not the parent zone. */
|
||
|
- if (rc == STAT_BOGUS || (rc == STAT_NEED_KEY && hostname_isequal(name, keyname)))
|
||
|
- {
|
||
|
- log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "BOGUS DS");
|
||
|
- return STAT_BOGUS;
|
||
|
+ if (!STAT_ISEQUAL(rc, STAT_SECURE))
|
||
|
+ return rc;
|
||
|
}
|
||
|
|
||
|
- if (rc != STAT_SECURE)
|
||
|
- return rc;
|
||
|
-
|
||
|
if (!neganswer)
|
||
|
{
|
||
|
cache_start_insert();
|
||
|
|
||
|
for (i = 0; i < ntohs(header->ancount); i++)
|
||
|
{
|
||
|
+ unsigned char *psave;
|
||
|
+
|
||
|
if (!(rc = extract_name(header, plen, &p, name, 0, 10)))
|
||
|
return STAT_BOGUS; /* bad packet */
|
||
|
|
||
|
@@ -1009,28 +1133,37 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
|
||
|
|
||
|
if (!CHECK_LEN(header, p, plen, rdlen))
|
||
|
return STAT_BOGUS; /* bad packet */
|
||
|
+
|
||
|
+ psave = p;
|
||
|
|
||
|
if (aclass == class && atype == T_DS && rc == 1)
|
||
|
{
|
||
|
int algo, digest, keytag;
|
||
|
- unsigned char *psave = p;
|
||
|
struct blockdata *key;
|
||
|
|
||
|
- if (rdlen < 4)
|
||
|
- return STAT_BOGUS; /* bad packet */
|
||
|
+ if (rdlen < 5)
|
||
|
+ return STAT_BOGUS; /* min 1 byte digest! */
|
||
|
|
||
|
GETSHORT(keytag, p);
|
||
|
algo = *p++;
|
||
|
digest = *p++;
|
||
|
|
||
|
- if ((key = blockdata_alloc((char*)p, rdlen - 4)))
|
||
|
+ if (!ds_digest_name(digest) || !algo_digest_name(algo))
|
||
|
+ {
|
||
|
+ a.log.keytag = keytag;
|
||
|
+ a.log.algo = algo;
|
||
|
+ a.log.digest = digest;
|
||
|
+ log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS for keytag %hu, algo %hu, digest %hu (not supported)");
|
||
|
+ neg_ttl = ttl;
|
||
|
+ }
|
||
|
+ else if ((key = blockdata_alloc((char*)p, rdlen - 4)))
|
||
|
{
|
||
|
a.ds.digest = digest;
|
||
|
a.ds.keydata = key;
|
||
|
a.ds.algo = algo;
|
||
|
a.ds.keytag = keytag;
|
||
|
a.ds.keylen = rdlen - 4;
|
||
|
-
|
||
|
+
|
||
|
if (!cache_insert(name, &a, class, now, ttl, F_FORWARD | F_DS | F_DNSSECOK))
|
||
|
{
|
||
|
blockdata_free(key);
|
||
|
@@ -1041,26 +1174,26 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
|
||
|
a.log.keytag = keytag;
|
||
|
a.log.algo = algo;
|
||
|
a.log.digest = digest;
|
||
|
- if (ds_digest_name(digest) && algo_digest_name(algo))
|
||
|
- log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS keytag %hu, algo %hu, digest %hu");
|
||
|
- else
|
||
|
- log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS keytag %hu, algo %hu, digest %hu (not supported)");
|
||
|
+ log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS for keytag %hu, algo %hu, digest %hu");
|
||
|
+ found_supported = 1;
|
||
|
}
|
||
|
}
|
||
|
-
|
||
|
- p = psave;
|
||
|
}
|
||
|
- if (!ADD_RDLEN(header, p, plen, rdlen))
|
||
|
- return STAT_BOGUS; /* bad packet */
|
||
|
+
|
||
|
+ p = psave + rdlen;
|
||
|
}
|
||
|
|
||
|
cache_end_insert();
|
||
|
|
||
|
+ /* Fall through if no supported algo DS found. */
|
||
|
+ if (found_supported)
|
||
|
+ return STAT_OK;
|
||
|
}
|
||
|
- else
|
||
|
+
|
||
|
+ flags = F_FORWARD | F_DS | F_NEG | F_DNSSECOK;
|
||
|
+
|
||
|
+ if (neganswer)
|
||
|
{
|
||
|
- int flags = F_FORWARD | F_DS | F_NEG | F_DNSSECOK;
|
||
|
-
|
||
|
if (RCODE(header) == NXDOMAIN)
|
||
|
flags |= F_NXDOMAIN;
|
||
|
|
||
|
@@ -1068,17 +1201,19 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
|
||
|
to store presence/absence of NS. */
|
||
|
if (nons)
|
||
|
flags &= ~F_DNSSECOK;
|
||
|
-
|
||
|
- cache_start_insert();
|
||
|
-
|
||
|
- /* Use TTL from NSEC for negative cache entries */
|
||
|
- if (!cache_insert(name, NULL, class, now, neg_ttl, flags))
|
||
|
- return STAT_BOGUS;
|
||
|
-
|
||
|
- cache_end_insert();
|
||
|
-
|
||
|
- log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, nons ? "no DS/cut" : "no DS");
|
||
|
}
|
||
|
+
|
||
|
+ cache_start_insert();
|
||
|
+
|
||
|
+ /* Use TTL from NSEC for negative cache entries */
|
||
|
+ if (!cache_insert(name, NULL, class, now, neg_ttl, flags))
|
||
|
+ return STAT_BOGUS;
|
||
|
+
|
||
|
+ cache_end_insert();
|
||
|
+
|
||
|
+ if (neganswer)
|
||
|
+ log_query(F_NOEXTRA | F_UPSTREAM, name, NULL,
|
||
|
+ servfail ? "SERVFAIL" : (nons ? "no DS/cut" : "no DS"));
|
||
|
|
||
|
return STAT_OK;
|
||
|
}
|
||
|
@@ -1148,6 +1283,7 @@ static int hostname_cmp(const char *a, const char *b)
|
||
|
}
|
||
|
}
|
||
|
|
||
|
+/* returns 0 on success, or DNSSEC_FAIL_* value on failure. */
|
||
|
static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsigned char **nsecs, unsigned char **labels, int nsec_count,
|
||
|
char *workspace1_in, char *workspace2, char *name, int type, int *nons)
|
||
|
{
|
||
|
@@ -1167,12 +1303,12 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi
|
||
|
|
||
|
p = nsecs[i];
|
||
|
if (!extract_name(header, plen, &p, workspace1, 1, 10))
|
||
|
- return 0;
|
||
|
+ return DNSSEC_FAIL_BADPACKET;
|
||
|
p += 8; /* class, type, TTL */
|
||
|
GETSHORT(rdlen, p);
|
||
|
psave = p;
|
||
|
- if (!extract_name(header, plen, &p, workspace2, 1, 10))
|
||
|
- return 0;
|
||
|
+ if (!extract_name(header, plen, &p, workspace2, 1, 0))
|
||
|
+ return DNSSEC_FAIL_BADPACKET;
|
||
|
|
||
|
/* If NSEC comes from wildcard expansion, use original wildcard
|
||
|
as name for computation. */
|
||
|
@@ -1200,12 +1336,13 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi
|
||
|
{
|
||
|
/* 4035 para 5.4. Last sentence */
|
||
|
if (type == T_NSEC || type == T_RRSIG)
|
||
|
- return 1;
|
||
|
+ return 0;
|
||
|
|
||
|
/* NSEC with the same name as the RR we're testing, check
|
||
|
that the type in question doesn't appear in the type map */
|
||
|
rdlen -= p - psave;
|
||
|
- /* rdlen is now length of type map, and p points to it */
|
||
|
+ /* rdlen is now length of type map, and p points to it
|
||
|
+ packet checked to be as long as rdlen implies in prove_non_existence() */
|
||
|
|
||
|
/* If we can prove that there's no NS record, return that information. */
|
||
|
if (nons && rdlen >= 2 && p[0] == 0 && (p[2] & (0x80 >> T_NS)) != 0)
|
||
|
@@ -1216,25 +1353,25 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi
|
||
|
/* A CNAME answer would also be valid, so if there's a CNAME is should
|
||
|
have been returned. */
|
||
|
if ((p[2] & (0x80 >> T_CNAME)) != 0)
|
||
|
- return 0;
|
||
|
+ return DNSSEC_FAIL_NONSEC;
|
||
|
|
||
|
/* If the SOA bit is set for a DS record, then we have the
|
||
|
DS from the wrong side of the delegation. For the root DS,
|
||
|
this is expected. */
|
||
|
if (name_labels != 0 && type == T_DS && (p[2] & (0x80 >> T_SOA)) != 0)
|
||
|
- return 0;
|
||
|
+ return DNSSEC_FAIL_NONSEC;
|
||
|
}
|
||
|
|
||
|
while (rdlen >= 2)
|
||
|
{
|
||
|
if (!CHECK_LEN(header, p, plen, rdlen))
|
||
|
- return 0;
|
||
|
+ return DNSSEC_FAIL_BADPACKET;
|
||
|
|
||
|
if (p[0] == type >> 8)
|
||
|
{
|
||
|
/* Does the NSEC say our type exists? */
|
||
|
if (offset < p[1] && (p[offset+2] & mask) != 0)
|
||
|
- return 0;
|
||
|
+ return DNSSEC_FAIL_NONSEC;
|
||
|
|
||
|
break; /* finished checking */
|
||
|
}
|
||
|
@@ -1243,24 +1380,24 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi
|
||
|
p += p[1];
|
||
|
}
|
||
|
|
||
|
- return 1;
|
||
|
+ return 0;
|
||
|
}
|
||
|
else if (rc == -1)
|
||
|
{
|
||
|
/* Normal case, name falls between NSEC name and next domain name,
|
||
|
wrap around case, name falls between NSEC name (rc == -1) and end */
|
||
|
if (hostname_cmp(workspace2, name) >= 0 || hostname_cmp(workspace1, workspace2) >= 0)
|
||
|
- return 1;
|
||
|
+ return 0;
|
||
|
}
|
||
|
else
|
||
|
{
|
||
|
/* wrap around case, name falls between start and next domain name */
|
||
|
if (hostname_cmp(workspace1, workspace2) >= 0 && hostname_cmp(workspace2, name) >=0 )
|
||
|
- return 1;
|
||
|
+ return 0;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
- return 0;
|
||
|
+ return DNSSEC_FAIL_NONSEC;
|
||
|
}
|
||
|
|
||
|
/* return digest length, or zero on error */
|
||
|
@@ -1334,23 +1471,23 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige
|
||
|
for (i = 0; i < nsec_count; i++)
|
||
|
if ((p = nsecs[i]))
|
||
|
{
|
||
|
- if (!extract_name(header, plen, &p, workspace1, 1, 0) ||
|
||
|
+ if (!extract_name(header, plen, &p, workspace1, 1, 10) ||
|
||
|
!(base32_len = base32_decode(workspace1, (unsigned char *)workspace2)))
|
||
|
return 0;
|
||
|
|
||
|
p += 8; /* class, type, TTL */
|
||
|
GETSHORT(rdlen, p);
|
||
|
+
|
||
|
psave = p;
|
||
|
+
|
||
|
+ /* packet checked to be as long as implied by rdlen, salt_len and hash_len in prove_non_existence() */
|
||
|
p++; /* algo */
|
||
|
flags = *p++; /* flags */
|
||
|
p += 2; /* iterations */
|
||
|
salt_len = *p++; /* salt_len */
|
||
|
p += salt_len; /* salt */
|
||
|
hash_len = *p++; /* p now points to next hashed name */
|
||
|
-
|
||
|
- if (!CHECK_LEN(header, p, plen, hash_len))
|
||
|
- return 0;
|
||
|
-
|
||
|
+
|
||
|
if (digest_len == base32_len && hash_len == base32_len)
|
||
|
{
|
||
|
int rc = memcmp(workspace2, digest, digest_len);
|
||
|
@@ -1358,7 +1495,8 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige
|
||
|
if (rc == 0)
|
||
|
{
|
||
|
/* We found an NSEC3 whose hashed name exactly matches the query, so
|
||
|
- we just need to check the type map. p points to the RR data for the record. */
|
||
|
+ we just need to check the type map. p points to the RR data for the record.
|
||
|
+ Note we have packet length up to rdlen bytes checked. */
|
||
|
|
||
|
int offset = (type & 0xff) >> 3;
|
||
|
int mask = 0x80 >> (type & 0x07);
|
||
|
@@ -1366,15 +1504,12 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige
|
||
|
p += hash_len; /* skip next-domain hash */
|
||
|
rdlen -= p - psave;
|
||
|
|
||
|
- if (!CHECK_LEN(header, p, plen, rdlen))
|
||
|
- return 0;
|
||
|
-
|
||
|
if (rdlen >= 2 && p[0] == 0)
|
||
|
{
|
||
|
/* If we can prove that there's no NS record, return that information. */
|
||
|
if (nons && (p[2] & (0x80 >> T_NS)) != 0)
|
||
|
*nons = 0;
|
||
|
-
|
||
|
+
|
||
|
/* A CNAME answer would also be valid, so if there's a CNAME is should
|
||
|
have been returned. */
|
||
|
if ((p[2] & (0x80 >> T_CNAME)) != 0)
|
||
|
@@ -1433,8 +1568,9 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige
|
||
|
return 0;
|
||
|
}
|
||
|
|
||
|
-static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, unsigned char **nsecs, int nsec_count,
|
||
|
- char *workspace1, char *workspace2, char *name, int type, char *wildname, int *nons)
|
||
|
+/* returns 0 on success, or DNSSEC_FAIL_* value on failure. */
|
||
|
+static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, unsigned char **nsecs, int nsec_count, char *workspace1,
|
||
|
+ char *workspace2, char *name, int type, char *wildname, int *nons, int *validate_counter)
|
||
|
{
|
||
|
unsigned char *salt, *p, *digest;
|
||
|
int digest_len, i, iterations, salt_len, base32_len, algo = 0;
|
||
|
@@ -1454,7 +1590,7 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns
|
||
|
for (i = 0; i < nsec_count; i++)
|
||
|
{
|
||
|
if (!(p = skip_name(nsecs[i], header, plen, 15)))
|
||
|
- return 0; /* bad packet */
|
||
|
+ return DNSSEC_FAIL_BADPACKET; /* bad packet */
|
||
|
|
||
|
p += 10; /* type, class, TTL, rdlen */
|
||
|
algo = *p++;
|
||
|
@@ -1465,23 +1601,18 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns
|
||
|
|
||
|
/* No usable NSEC3s */
|
||
|
if (i == nsec_count)
|
||
|
- return 0;
|
||
|
+ return DNSSEC_FAIL_NONSEC;
|
||
|
|
||
|
p++; /* flags */
|
||
|
|
||
|
GETSHORT (iterations, p);
|
||
|
- /* Upper-bound iterations, to avoid DoS.
|
||
|
- Strictly, there are lower bounds for small keys, but
|
||
|
- since we don't have key size info here, at least limit
|
||
|
- to the largest bound, for 4096-bit keys. RFC 5155 10.3 */
|
||
|
- if (iterations > 2500)
|
||
|
- return 0;
|
||
|
+ /* Upper-bound iterations, to avoid DoS. RFC 9276 refers. */
|
||
|
+ if (iterations > daemon->limit[LIMIT_NSEC3_ITERS])
|
||
|
+ return DNSSEC_FAIL_NSEC3_ITERS;
|
||
|
|
||
|
salt_len = *p++;
|
||
|
salt = p;
|
||
|
- if (!CHECK_LEN(header, salt, plen, salt_len))
|
||
|
- return 0; /* bad packet */
|
||
|
-
|
||
|
+
|
||
|
/* Now prune so we only have NSEC3 records with same iterations, salt and algo */
|
||
|
for (i = 0; i < nsec_count; i++)
|
||
|
{
|
||
|
@@ -1491,7 +1622,7 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns
|
||
|
nsecs[i] = NULL; /* Speculative, will be restored if OK. */
|
||
|
|
||
|
if (!(p = skip_name(nsec3p, header, plen, 15)))
|
||
|
- return 0; /* bad packet */
|
||
|
+ return DNSSEC_FAIL_BADPACKET; /* bad packet */
|
||
|
|
||
|
p += 10; /* type, class, TTL, rdlen */
|
||
|
|
||
|
@@ -1511,9 +1642,6 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns
|
||
|
if (salt_len != *p++)
|
||
|
continue;
|
||
|
|
||
|
- if (!CHECK_LEN(header, p, plen, salt_len))
|
||
|
- return 0; /* bad packet */
|
||
|
-
|
||
|
if (memcmp(p, salt, salt_len) != 0)
|
||
|
continue;
|
||
|
|
||
|
@@ -1521,11 +1649,14 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns
|
||
|
nsecs[i] = nsec3p;
|
||
|
}
|
||
|
|
||
|
+ if (dec_counter(validate_counter, NULL))
|
||
|
+ return DNSSEC_FAIL_WORK;
|
||
|
+
|
||
|
if ((digest_len = hash_name(name, &digest, hash, salt, salt_len, iterations)) == 0)
|
||
|
- return 0;
|
||
|
+ return DNSSEC_FAIL_NONSEC;
|
||
|
|
||
|
if (check_nsec3_coverage(header, plen, digest_len, digest, type, workspace1, workspace2, nsecs, nsec_count, nons, count_labels(name)))
|
||
|
- return 1;
|
||
|
+ return 0;
|
||
|
|
||
|
/* Can't find an NSEC3 which covers the name directly, we need the "closest encloser NSEC3"
|
||
|
or an answer inferred from a wildcard record. */
|
||
|
@@ -1540,15 +1671,20 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns
|
||
|
if (wildname && hostname_isequal(closest_encloser, wildname))
|
||
|
break;
|
||
|
|
||
|
+ if (dec_counter(validate_counter, NULL))
|
||
|
+ return DNSSEC_FAIL_WORK;
|
||
|
+
|
||
|
if ((digest_len = hash_name(closest_encloser, &digest, hash, salt, salt_len, iterations)) == 0)
|
||
|
- return 0;
|
||
|
+ return DNSSEC_FAIL_NONSEC;
|
||
|
|
||
|
for (i = 0; i < nsec_count; i++)
|
||
|
if ((p = nsecs[i]))
|
||
|
{
|
||
|
- if (!extract_name(header, plen, &p, workspace1, 1, 0) ||
|
||
|
- !(base32_len = base32_decode(workspace1, (unsigned char *)workspace2)))
|
||
|
- return 0;
|
||
|
+ if (!extract_name(header, plen, &p, workspace1, 1, 0))
|
||
|
+ return DNSSEC_FAIL_BADPACKET;
|
||
|
+
|
||
|
+ if (!(base32_len = base32_decode(workspace1, (unsigned char *)workspace2)))
|
||
|
+ return DNSSEC_FAIL_NONSEC;
|
||
|
|
||
|
if (digest_len == base32_len &&
|
||
|
memcmp(digest, workspace2, digest_len) == 0)
|
||
|
@@ -1563,35 +1699,43 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns
|
||
|
while ((closest_encloser = strchr(closest_encloser, '.')));
|
||
|
|
||
|
if (!closest_encloser || !next_closest)
|
||
|
- return 0;
|
||
|
+ return DNSSEC_FAIL_NONSEC;
|
||
|
|
||
|
/* Look for NSEC3 that proves the non-existence of the next-closest encloser */
|
||
|
+ if (dec_counter(validate_counter, NULL))
|
||
|
+ return DNSSEC_FAIL_WORK;
|
||
|
+
|
||
|
if ((digest_len = hash_name(next_closest, &digest, hash, salt, salt_len, iterations)) == 0)
|
||
|
- return 0;
|
||
|
+ return DNSSEC_FAIL_NONSEC;
|
||
|
|
||
|
if (!check_nsec3_coverage(header, plen, digest_len, digest, type, workspace1, workspace2, nsecs, nsec_count, NULL, 1))
|
||
|
- return 0;
|
||
|
+ return DNSSEC_FAIL_NONSEC;
|
||
|
|
||
|
/* Finally, check that there's no seat of wildcard synthesis */
|
||
|
if (!wildname)
|
||
|
{
|
||
|
if (!(wildcard = strchr(next_closest, '.')) || wildcard == next_closest)
|
||
|
- return 0;
|
||
|
+ return DNSSEC_FAIL_NONSEC;
|
||
|
|
||
|
wildcard--;
|
||
|
*wildcard = '*';
|
||
|
|
||
|
+ if (dec_counter(validate_counter, NULL))
|
||
|
+ return DNSSEC_FAIL_WORK;
|
||
|
+
|
||
|
if ((digest_len = hash_name(wildcard, &digest, hash, salt, salt_len, iterations)) == 0)
|
||
|
- return 0;
|
||
|
+ return DNSSEC_FAIL_NONSEC;
|
||
|
|
||
|
if (!check_nsec3_coverage(header, plen, digest_len, digest, type, workspace1, workspace2, nsecs, nsec_count, NULL, 1))
|
||
|
- return 0;
|
||
|
+ return DNSSEC_FAIL_NONSEC;
|
||
|
}
|
||
|
|
||
|
- return 1;
|
||
|
+ return 0;
|
||
|
}
|
||
|
|
||
|
-static int prove_non_existence(struct dns_header *header, size_t plen, char *keyname, char *name, int qtype, int qclass, char *wildname, int *nons, int *nsec_ttl)
|
||
|
+/* returns 0 on success, or DNSSEC_FAIL_* value on failure. */
|
||
|
+static int prove_non_existence(struct dns_header *header, size_t plen, char *keyname, char *name, int qtype, int qclass,
|
||
|
+ char *wildname, int *nons, int *nsec_ttl, int *validate_counter)
|
||
|
{
|
||
|
static unsigned char **nsecset = NULL, **rrsig_labels = NULL;
|
||
|
static int nsecset_sz = 0, rrsig_labels_sz = 0;
|
||
|
@@ -1603,7 +1747,7 @@ static int prove_non_existence(struct dns_header *header, size_t plen, char *key
|
||
|
|
||
|
/* Move to NS section */
|
||
|
if (!p || !(p = skip_section(p, ntohs(header->ancount), header, plen)))
|
||
|
- return 0;
|
||
|
+ return DNSSEC_FAIL_BADPACKET;
|
||
|
|
||
|
auth_start = p;
|
||
|
|
||
|
@@ -1612,13 +1756,16 @@ static int prove_non_existence(struct dns_header *header, size_t plen, char *key
|
||
|
unsigned char *pstart = p;
|
||
|
|
||
|
if (!extract_name(header, plen, &p, daemon->workspacename, 1, 10))
|
||
|
- return 0;
|
||
|
+ return DNSSEC_FAIL_BADPACKET;
|
||
|
|
||
|
GETSHORT(type, p);
|
||
|
GETSHORT(class, p);
|
||
|
GETLONG(ttl, p);
|
||
|
GETSHORT(rdlen, p);
|
||
|
-
|
||
|
+
|
||
|
+ if (!CHECK_LEN(header, p, plen, rdlen))
|
||
|
+ return DNSSEC_FAIL_BADPACKET;
|
||
|
+
|
||
|
if (class == qclass && (type == T_NSEC || type == T_NSEC3))
|
||
|
{
|
||
|
if (nsec_ttl)
|
||
|
@@ -1631,12 +1778,12 @@ static int prove_non_existence(struct dns_header *header, size_t plen, char *key
|
||
|
|
||
|
/* No mixed NSECing 'round here, thankyouverymuch */
|
||
|
if (type_found != 0 && type_found != type)
|
||
|
- return 0;
|
||
|
+ return DNSSEC_FAIL_NONSEC;
|
||
|
|
||
|
type_found = type;
|
||
|
|
||
|
if (!expand_workspace(&nsecset, &nsecset_sz, nsecs_found))
|
||
|
- return 0;
|
||
|
+ return DNSSEC_FAIL_BADPACKET;
|
||
|
|
||
|
if (type == T_NSEC)
|
||
|
{
|
||
|
@@ -1651,30 +1798,33 @@ static int prove_non_existence(struct dns_header *header, size_t plen, char *key
|
||
|
int res, j, rdlen1, type1, class1;
|
||
|
|
||
|
if (!expand_workspace(&rrsig_labels, &rrsig_labels_sz, nsecs_found))
|
||
|
- return 0;
|
||
|
+ return DNSSEC_FAIL_BADPACKET;
|
||
|
|
||
|
rrsig_labels[nsecs_found] = NULL;
|
||
|
|
||
|
for (j = ntohs(header->nscount); j != 0; j--)
|
||
|
{
|
||
|
- if (!(res = extract_name(header, plen, &p1, daemon->workspacename, 0, 10)))
|
||
|
- return 0;
|
||
|
+ unsigned char *psav;
|
||
|
|
||
|
+ if (!(res = extract_name(header, plen, &p1, daemon->workspacename, 0, 10)))
|
||
|
+ return DNSSEC_FAIL_BADPACKET;
|
||
|
+
|
||
|
GETSHORT(type1, p1);
|
||
|
GETSHORT(class1, p1);
|
||
|
p1 += 4; /* TTL */
|
||
|
GETSHORT(rdlen1, p1);
|
||
|
|
||
|
+ psav = p1;
|
||
|
+
|
||
|
if (!CHECK_LEN(header, p1, plen, rdlen1))
|
||
|
- return 0;
|
||
|
+ return DNSSEC_FAIL_BADPACKET;
|
||
|
|
||
|
if (res == 1 && class1 == qclass && type1 == T_RRSIG)
|
||
|
{
|
||
|
int type_covered;
|
||
|
- unsigned char *psav = p1;
|
||
|
-
|
||
|
+
|
||
|
if (rdlen1 < 18)
|
||
|
- return 0; /* bad packet */
|
||
|
+ return DNSSEC_FAIL_BADPACKET; /* bad packet */
|
||
|
|
||
|
GETSHORT(type_covered, p1);
|
||
|
|
||
|
@@ -1686,33 +1836,56 @@ static int prove_non_existence(struct dns_header *header, size_t plen, char *key
|
||
|
if (!rrsig_labels[nsecs_found])
|
||
|
rrsig_labels[nsecs_found] = p1;
|
||
|
else if (*rrsig_labels[nsecs_found] != *p1) /* algo */
|
||
|
- return 0;
|
||
|
- }
|
||
|
- p1 = psav;
|
||
|
+ return DNSSEC_FAIL_NONSEC;
|
||
|
+ }
|
||
|
}
|
||
|
|
||
|
- if (!ADD_RDLEN(header, p1, plen, rdlen1))
|
||
|
- return 0;
|
||
|
+ p1 = psav + rdlen1;
|
||
|
}
|
||
|
|
||
|
/* Must have found at least one sig. */
|
||
|
if (!rrsig_labels[nsecs_found])
|
||
|
- return 0;
|
||
|
+ return DNSSEC_FAIL_NONSEC;
|
||
|
+ }
|
||
|
+ else if (type == T_NSEC3)
|
||
|
+ {
|
||
|
+ /* Decode the packet structure enough to check that rdlen is big enough
|
||
|
+ to contain everything other than the type bitmap.
|
||
|
+ (packet checked to be long enough to contain rdlen above)
|
||
|
+ We don't need to do any further length checks in check_nes3_coverage()
|
||
|
+ or prove_non_existence_nsec3() */
|
||
|
+
|
||
|
+ int salt_len, hash_len;
|
||
|
+ unsigned char *psav = p;
|
||
|
+
|
||
|
+ if (rdlen < 5)
|
||
|
+ return DNSSEC_FAIL_BADPACKET;
|
||
|
+
|
||
|
+ p += 4; /* algo, flags, iterations */
|
||
|
+ salt_len = *p++; /* salt_len */
|
||
|
+ if (rdlen < (6 + salt_len))
|
||
|
+ return DNSSEC_FAIL_BADPACKET; /* check up to hash_length */
|
||
|
+
|
||
|
+ p += salt_len; /* salt */
|
||
|
+ hash_len = *p++;
|
||
|
+ if (rdlen < (6 + salt_len + hash_len))
|
||
|
+ return DNSSEC_FAIL_BADPACKET; /* check to end of next hashed name */
|
||
|
+
|
||
|
+ p = psav;
|
||
|
}
|
||
|
|
||
|
nsecset[nsecs_found++] = pstart;
|
||
|
}
|
||
|
|
||
|
- if (!ADD_RDLEN(header, p, plen, rdlen))
|
||
|
- return 0;
|
||
|
+ p += rdlen;
|
||
|
}
|
||
|
|
||
|
if (type_found == T_NSEC)
|
||
|
return prove_non_existence_nsec(header, plen, nsecset, rrsig_labels, nsecs_found, daemon->workspacename, keyname, name, qtype, nons);
|
||
|
else if (type_found == T_NSEC3)
|
||
|
- return prove_non_existence_nsec3(header, plen, nsecset, nsecs_found, daemon->workspacename, keyname, name, qtype, wildname, nons);
|
||
|
+ return prove_non_existence_nsec3(header, plen, nsecset, nsecs_found, daemon->workspacename, keyname, name, qtype, wildname, nons, validate_counter);
|
||
|
else
|
||
|
- return 0;
|
||
|
+ return DNSSEC_FAIL_NONSEC;
|
||
|
}
|
||
|
|
||
|
/* Check signing status of name.
|
||
|
@@ -1807,16 +1980,17 @@ static int zone_status(char *name, int class, char *keyname, time_t now)
|
||
|
STAT_BOGUS signature is wrong, bad packet, no validation where there should be.
|
||
|
STAT_NEED_KEY need DNSKEY to complete validation (name is returned in keyname, class in *class)
|
||
|
STAT_NEED_DS need DS to complete validation (name is returned in keyname)
|
||
|
+ STAT_ABANDONED resource exhaustion.
|
||
|
|
||
|
daemon->rr_status points to a char array which corressponds to the RRs in the
|
||
|
- answer and auth sections. This is set to 1 for each RR which is validated, and 0 for any which aren't.
|
||
|
+ answer and auth sections. This is set to >1 for each RR which is validated, and 0 for any which aren't.
|
||
|
|
||
|
When validating replies to DS records, we're only interested in the NSEC{3} RRs in the auth section.
|
||
|
Other RRs in that section missing sigs will not cause am INSECURE reply. We determine this mode
|
||
|
- is the nons argument is non-NULL.
|
||
|
+ if the nons argument is non-NULL.
|
||
|
*/
|
||
|
int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname,
|
||
|
- int *class, int check_unsigned, int *neganswer, int *nons, int *nsec_ttl)
|
||
|
+ int *class, int check_unsigned, int *neganswer, int *nons, int *nsec_ttl, int *validate_counter)
|
||
|
{
|
||
|
static unsigned char **targets = NULL;
|
||
|
static int target_sz = 0;
|
||
|
@@ -1825,7 +1999,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
|
||
|
int type1, class1, rdlen1 = 0, type2, class2, rdlen2, qclass, qtype, targetidx;
|
||
|
int i, j, rc = STAT_INSECURE;
|
||
|
int secure = STAT_SECURE;
|
||
|
-
|
||
|
+ int rc_nsec;
|
||
|
/* extend rr_status if necessary */
|
||
|
if (daemon->rr_status_sz < ntohs(header->ancount) + ntohs(header->nscount))
|
||
|
{
|
||
|
@@ -1854,7 +2028,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
|
||
|
|
||
|
/* Find all the targets we're looking for answers to.
|
||
|
The zeroth array element is for the query, subsequent ones
|
||
|
- for CNAME targets, unless the query is for a CNAME. */
|
||
|
+ for CNAME targets, unless the query is for a CNAME or ANY. */
|
||
|
|
||
|
if (!expand_workspace(&targets, &target_sz, 0))
|
||
|
return STAT_BOGUS;
|
||
|
@@ -1873,7 +2047,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
|
||
|
if (qtype == T_RRSIG)
|
||
|
return STAT_INSECURE;
|
||
|
|
||
|
- if (qtype != T_CNAME)
|
||
|
+ if (qtype != T_CNAME && qtype != T_ANY)
|
||
|
for (j = ntohs(header->ancount); j != 0; j--)
|
||
|
{
|
||
|
if (!(p1 = skip_name(p1, header, plen, 10)))
|
||
|
@@ -1947,7 +2121,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
|
||
|
{
|
||
|
/* NSEC and NSEC3 records must be signed. We make this assumption elsewhere. */
|
||
|
if (type1 == T_NSEC || type1 == T_NSEC3)
|
||
|
- rc = STAT_INSECURE;
|
||
|
+ return STAT_BOGUS | DNSSEC_FAIL_NOSIG;
|
||
|
else if (nons && i >= ntohs(header->ancount))
|
||
|
/* If we're validating a DS reply, rather than looking for the value of AD bit,
|
||
|
we only care that NSEC and NSEC3 RRs in the auth section are signed.
|
||
|
@@ -1959,15 +2133,16 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
|
||
|
if (check_unsigned && i < ntohs(header->ancount))
|
||
|
{
|
||
|
rc = zone_status(name, class1, keyname, now);
|
||
|
- if (rc == STAT_SECURE)
|
||
|
- rc = STAT_BOGUS;
|
||
|
+ if (STAT_ISEQUAL(rc, STAT_SECURE))
|
||
|
+ rc = STAT_BOGUS | DNSSEC_FAIL_NOSIG;
|
||
|
+
|
||
|
if (class)
|
||
|
*class = class1; /* Class for NEED_DS or NEED_KEY */
|
||
|
}
|
||
|
else
|
||
|
rc = STAT_INSECURE;
|
||
|
|
||
|
- if (rc != STAT_INSECURE)
|
||
|
+ if (!STAT_ISEQUAL(rc, STAT_INSECURE))
|
||
|
return rc;
|
||
|
}
|
||
|
}
|
||
|
@@ -1978,7 +2153,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
|
||
|
strcpy(daemon->workspacename, keyname);
|
||
|
rc = zone_status(daemon->workspacename, class1, keyname, now);
|
||
|
|
||
|
- if (rc == STAT_BOGUS || rc == STAT_NEED_KEY || rc == STAT_NEED_DS)
|
||
|
+ if (STAT_ISEQUAL(rc, STAT_BOGUS) || STAT_ISEQUAL(rc, STAT_NEED_KEY) || STAT_ISEQUAL(rc, STAT_NEED_DS))
|
||
|
{
|
||
|
if (class)
|
||
|
*class = class1; /* Class for NEED_DS or NEED_KEY */
|
||
|
@@ -1986,13 +2161,13 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
|
||
|
}
|
||
|
|
||
|
/* Zone is insecure, don't need to validate RRset */
|
||
|
- if (rc == STAT_SECURE)
|
||
|
+ if (STAT_ISEQUAL(rc, STAT_SECURE))
|
||
|
{
|
||
|
unsigned long sig_ttl;
|
||
|
rc = validate_rrset(now, header, plen, class1, type1, sigcnt,
|
||
|
- rrcnt, name, keyname, &wildname, NULL, 0, 0, 0, &sig_ttl);
|
||
|
+ rrcnt, name, keyname, &wildname, NULL, 0, 0, 0, &sig_ttl, validate_counter);
|
||
|
|
||
|
- if (rc == STAT_BOGUS || rc == STAT_NEED_KEY || rc == STAT_NEED_DS)
|
||
|
+ if (STAT_ISEQUAL(rc, STAT_BOGUS) || STAT_ISEQUAL(rc, STAT_NEED_KEY) || STAT_ISEQUAL(rc, STAT_NEED_DS) || STAT_ISEQUAL(rc, STAT_ABANDONED))
|
||
|
{
|
||
|
if (class)
|
||
|
*class = class1; /* Class for DS or DNSKEY */
|
||
|
@@ -2025,50 +2200,53 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
|
||
|
Note that we may not yet have validated the NSEC/NSEC3 RRsets.
|
||
|
That's not a problem since if the RRsets later fail
|
||
|
we'll return BOGUS then. */
|
||
|
- if (rc == STAT_SECURE_WILDCARD &&
|
||
|
- !prove_non_existence(header, plen, keyname, name, type1, class1, wildname, NULL, NULL))
|
||
|
- return STAT_BOGUS;
|
||
|
+ if (STAT_ISEQUAL(rc, STAT_SECURE_WILDCARD) &&
|
||
|
+ ((rc_nsec = prove_non_existence(header, plen, keyname, name, type1, class1, wildname, NULL, NULL, validate_counter))) != 0)
|
||
|
+ return (rc_nsec & DNSSEC_FAIL_WORK) ? STAT_ABANDONED : (STAT_BOGUS | rc_nsec);
|
||
|
|
||
|
rc = STAT_SECURE;
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
- if (rc == STAT_INSECURE)
|
||
|
+ if (STAT_ISEQUAL(rc, STAT_INSECURE))
|
||
|
secure = STAT_INSECURE;
|
||
|
}
|
||
|
|
||
|
/* OK, all the RRsets validate, now see if we have a missing answer or CNAME target. */
|
||
|
- if (secure == STAT_SECURE)
|
||
|
- for (j = 0; j <targetidx; j++)
|
||
|
- if ((p2 = targets[j]))
|
||
|
- {
|
||
|
- if (neganswer)
|
||
|
- *neganswer = 1;
|
||
|
-
|
||
|
- if (!extract_name(header, plen, &p2, name, 1, 10))
|
||
|
- return STAT_BOGUS; /* bad packet */
|
||
|
-
|
||
|
- /* NXDOMAIN or NODATA reply, unanswered question is (name, qclass, qtype) */
|
||
|
-
|
||
|
- /* For anything other than a DS record, this situation is OK if either
|
||
|
- the answer is in an unsigned zone, or there's a NSEC records. */
|
||
|
- if (!prove_non_existence(header, plen, keyname, name, qtype, qclass, NULL, nons, nsec_ttl))
|
||
|
- {
|
||
|
- /* Empty DS without NSECS */
|
||
|
- if (qtype == T_DS)
|
||
|
- return STAT_BOGUS;
|
||
|
-
|
||
|
- if ((rc = zone_status(name, qclass, keyname, now)) != STAT_SECURE)
|
||
|
- {
|
||
|
- if (class)
|
||
|
- *class = qclass; /* Class for NEED_DS or NEED_KEY */
|
||
|
- return rc;
|
||
|
- }
|
||
|
-
|
||
|
- return STAT_BOGUS; /* signed zone, no NSECs */
|
||
|
- }
|
||
|
- }
|
||
|
+ for (j = 0; j <targetidx; j++)
|
||
|
+ if ((p2 = targets[j]))
|
||
|
+ {
|
||
|
+ if (neganswer)
|
||
|
+ *neganswer = 1;
|
||
|
+
|
||
|
+ if (!extract_name(header, plen, &p2, name, 1, 10))
|
||
|
+ return STAT_BOGUS; /* bad packet */
|
||
|
+
|
||
|
+ /* NXDOMAIN or NODATA reply, unanswered question is (name, qclass, qtype) */
|
||
|
+
|
||
|
+ /* For anything other than a DS record, this situation is OK if either
|
||
|
+ the answer is in an unsigned zone, or there's a NSEC records. */
|
||
|
+ if ((rc_nsec = prove_non_existence(header, plen, keyname, name, qtype, qclass, NULL, nons, nsec_ttl, validate_counter)) != 0)
|
||
|
+ {
|
||
|
+ if (rc_nsec & DNSSEC_FAIL_WORK)
|
||
|
+ return STAT_ABANDONED;
|
||
|
+
|
||
|
+ /* Empty DS without NSECS */
|
||
|
+ if (qtype == T_DS)
|
||
|
+ return STAT_BOGUS | rc_nsec;
|
||
|
+
|
||
|
+ if ((rc_nsec & (DNSSEC_FAIL_NONSEC | DNSSEC_FAIL_NSEC3_ITERS)) &&
|
||
|
+ !STAT_ISEQUAL((rc = zone_status(name, qclass, keyname, now)), STAT_SECURE))
|
||
|
+ {
|
||
|
+ if (class)
|
||
|
+ *class = qclass; /* Class for NEED_DS or NEED_KEY */
|
||
|
+ return rc;
|
||
|
+ }
|
||
|
+
|
||
|
+ return STAT_BOGUS | rc_nsec; /* signed zone, no NSECs */
|
||
|
+ }
|
||
|
+ }
|
||
|
|
||
|
return secure;
|
||
|
}
|
||
|
diff --git a/src/forward.c b/src/forward.c
|
||
|
index 9ec426e..388b0c3 100644
|
||
|
--- a/src/forward.c
|
||
|
+++ b/src/forward.c
|
||
|
@@ -481,7 +481,8 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
|
||
|
if (ad_reqd)
|
||
|
forward->flags |= FREC_AD_QUESTION;
|
||
|
#ifdef HAVE_DNSSEC
|
||
|
- forward->work_counter = DNSSEC_WORK;
|
||
|
+ forward->work_counter = daemon->limit[LIMIT_WORK];
|
||
|
+ forward->validate_counter = daemon->limit[LIMIT_CRYPTO];
|
||
|
if (do_bit)
|
||
|
forward->flags |= FREC_DO_QUESTION;
|
||
|
#endif
|
||
|
@@ -865,6 +866,7 @@ void reply_query(int fd, time_t now)
|
||
|
serveraddr.in6.sin6_flowinfo = 0;
|
||
|
|
||
|
header = (struct dns_header *)daemon->packet;
|
||
|
+ size_t plen;
|
||
|
|
||
|
if (n < (int)sizeof(struct dns_header) || !(header->hb3 & HB3_QR))
|
||
|
return;
|
||
|
@@ -909,7 +911,6 @@ void reply_query(int fd, time_t now)
|
||
|
/* for broken servers, attempt to send to another one. */
|
||
|
{
|
||
|
unsigned char *pheader;
|
||
|
- size_t plen;
|
||
|
int is_sign;
|
||
|
|
||
|
#ifdef HAVE_DNSSEC
|
||
|
@@ -1048,34 +1049,40 @@ void reply_query(int fd, time_t now)
|
||
|
*/
|
||
|
if (header->hb3 & HB3_TC)
|
||
|
status = STAT_TRUNCATED;
|
||
|
-
|
||
|
+
|
||
|
+ struct frec *orig;
|
||
|
+ int log_resource = 0;
|
||
|
+
|
||
|
+
|
||
|
while (1)
|
||
|
{
|
||
|
/* As soon as anything returns BOGUS, we stop and unwind, to do otherwise
|
||
|
would invite infinite loops, since the answers to DNSKEY and DS queries
|
||
|
will not be cached, so they'll be repeated. */
|
||
|
+ /* Find the original query that started it all.... */
|
||
|
+ for (orig = forward; orig->dependent; orig = orig->dependent);
|
||
|
+
|
||
|
if (status != STAT_BOGUS && status != STAT_TRUNCATED && status != STAT_ABANDONED)
|
||
|
{
|
||
|
if (forward->flags & FREC_DNSKEY_QUERY)
|
||
|
- status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
|
||
|
+ status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class, &orig->validate_counter);
|
||
|
else if (forward->flags & FREC_DS_QUERY)
|
||
|
- status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
|
||
|
+ status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class, &orig->validate_counter);
|
||
|
else
|
||
|
status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class,
|
||
|
!option_bool(OPT_DNSSEC_IGN_NS) && (forward->sentto->flags & SERV_DO_DNSSEC),
|
||
|
- NULL, NULL, NULL);
|
||
|
-#ifdef HAVE_DUMPFILE
|
||
|
- if (status == STAT_BOGUS)
|
||
|
- dump_packet((forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY)) ? DUMP_SEC_BOGUS : DUMP_BOGUS,
|
||
|
- header, (size_t)n, &serveraddr, NULL);
|
||
|
-#endif
|
||
|
+ NULL, NULL, NULL, &orig->validate_counter);
|
||
|
}
|
||
|
+ status = status & 0xffff0000;
|
||
|
+
|
||
|
+ if (status == STAT_ABANDONED)
|
||
|
+ log_resource = 1;
|
||
|
|
||
|
/* Can't validate, as we're missing key data. Put this
|
||
|
answer aside, whilst we get that. */
|
||
|
if (status == STAT_NEED_DS || status == STAT_NEED_KEY)
|
||
|
{
|
||
|
- struct frec *new, *orig;
|
||
|
+ struct frec *new;
|
||
|
|
||
|
/* Free any saved query */
|
||
|
if (forward->stash)
|
||
|
@@ -1086,13 +1093,13 @@ void reply_query(int fd, time_t now)
|
||
|
return;
|
||
|
forward->stash_len = n;
|
||
|
|
||
|
- /* Find the original query that started it all.... */
|
||
|
- for (orig = forward; orig->dependent; orig = orig->dependent);
|
||
|
-
|
||
|
/* Make sure we don't expire and free the orig frec during the
|
||
|
allocation of a new one. */
|
||
|
- if (--orig->work_counter == 0 || !(new = get_new_frec(now, NULL, orig)))
|
||
|
+ if (--orig->work_counter == 0 || !(new = get_new_frec(now, NULL, orig))) {
|
||
|
status = STAT_ABANDONED;
|
||
|
+ my_syslog(LOG_WARNING, _("limit exceeded: per-query subqueries"));
|
||
|
+ log_resource = 1;
|
||
|
+ }
|
||
|
else
|
||
|
{
|
||
|
int querytype, fd, type = SERV_DO_DNSSEC;
|
||
|
@@ -1180,7 +1187,20 @@ void reply_query(int fd, time_t now)
|
||
|
}
|
||
|
return;
|
||
|
}
|
||
|
-
|
||
|
+ if (log_resource)
|
||
|
+ {
|
||
|
+ /* Log the actual validation that made us barf. */
|
||
|
+ unsigned char *p = (unsigned char *)(header+1);
|
||
|
+ if (extract_name(header, plen, &p, daemon->namebuff, 0, 4) == 1)
|
||
|
+ my_syslog(LOG_WARNING, _("validation of %s failed: resource limit exceeded."),
|
||
|
+ daemon->namebuff[0] ? daemon->namebuff : ".");
|
||
|
+ }
|
||
|
+#ifdef HAVE_DUMPFILE
|
||
|
+ if (status == STAT_BOGUS)
|
||
|
+ dump_packet((forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY)) ? DUMP_SEC_BOGUS : DUMP_BOGUS,
|
||
|
+ header, (size_t)n, &serveraddr, NULL);
|
||
|
+#endif
|
||
|
+
|
||
|
/* Validated original answer, all done. */
|
||
|
if (!forward->dependent)
|
||
|
break;
|
||
|
@@ -1216,6 +1236,11 @@ void reply_query(int fd, time_t now)
|
||
|
domain = daemon->namebuff;
|
||
|
|
||
|
log_query(F_SECSTAT, domain, NULL, result);
|
||
|
+ if ((daemon->limit[LIMIT_CRYPTO] - orig->validate_counter) > (int)daemon->metrics[METRIC_CRYPTO_HWM])
|
||
|
+ daemon->metrics[METRIC_CRYPTO_HWM] = daemon->limit[LIMIT_CRYPTO] - orig->validate_counter;
|
||
|
+ if ((daemon->limit[LIMIT_WORK] - orig->work_counter) > (int)daemon->metrics[METRIC_WORK_HWM])
|
||
|
+ daemon->metrics[METRIC_WORK_HWM] = daemon->limit[LIMIT_WORK] - orig->work_counter;
|
||
|
+
|
||
|
}
|
||
|
|
||
|
if (status == STAT_SECURE)
|
||
|
@@ -1622,7 +1647,7 @@ void receive_query(struct listener *listen, time_t now)
|
||
|
/* Recurse up the key hierarchy */
|
||
|
static int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n,
|
||
|
int class, char *name, char *keyname, struct server *server,
|
||
|
- int have_mark, unsigned int mark, int *keycount)
|
||
|
+ int have_mark, unsigned int mark, int *keycount, int *validatecount)
|
||
|
{
|
||
|
int new_status;
|
||
|
unsigned char *packet = NULL;
|
||
|
@@ -1639,19 +1664,35 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
|
||
|
struct server *firstsendto = NULL;
|
||
|
|
||
|
/* limit the amount of work we do, to avoid cycling forever on loops in the DNS */
|
||
|
- if (--(*keycount) == 0)
|
||
|
- new_status = STAT_ABANDONED;
|
||
|
- else if (status == STAT_NEED_KEY)
|
||
|
- new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class);
|
||
|
+ if (status == STAT_NEED_KEY)
|
||
|
+ new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class, validatecount);
|
||
|
else if (status == STAT_NEED_DS)
|
||
|
- new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
|
||
|
+ new_status = dnssec_validate_ds(now, header, n, name, keyname, class, validatecount);
|
||
|
else
|
||
|
new_status = dnssec_validate_reply(now, header, n, name, keyname, &class,
|
||
|
!option_bool(OPT_DNSSEC_IGN_NS) && (server->flags & SERV_DO_DNSSEC),
|
||
|
- NULL, NULL, NULL);
|
||
|
-
|
||
|
- if (new_status != STAT_NEED_DS && new_status != STAT_NEED_KEY)
|
||
|
+ NULL, NULL, NULL, validatecount);
|
||
|
+ new_status = new_status & 0xffff0000;
|
||
|
+
|
||
|
+ if (new_status != STAT_NEED_DS && new_status != STAT_NEED_KEY && new_status != STAT_ABANDONED)
|
||
|
break;
|
||
|
+
|
||
|
+ if ((*keycount)-- == 0)
|
||
|
+ {
|
||
|
+ my_syslog(LOG_WARNING, _("limit exceeded: per-query subqueries"));
|
||
|
+ new_status = STAT_ABANDONED;
|
||
|
+ }
|
||
|
+
|
||
|
+ if (new_status == STAT_ABANDONED)
|
||
|
+ {
|
||
|
+ /* Log the actual validation that made us barf. */
|
||
|
+ unsigned char *p = (unsigned char *)(header+1);
|
||
|
+ if (extract_name(header, n, &p, daemon->namebuff, 0, 4) == 1)
|
||
|
+ my_syslog(LOG_WARNING, _("validation of %s failed: resource limit exceeded."),
|
||
|
+ daemon->namebuff[0] ? daemon->namebuff : ".");
|
||
|
+ break;
|
||
|
+ }
|
||
|
+
|
||
|
|
||
|
/* Can't validate because we need a key/DS whose name now in keyname.
|
||
|
Make query for same, and recurse to validate */
|
||
|
@@ -1668,7 +1709,7 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
|
||
|
new_status = STAT_ABANDONED;
|
||
|
break;
|
||
|
}
|
||
|
-
|
||
|
+
|
||
|
m = dnssec_generate_query(new_header, ((unsigned char *) new_header) + 65536, keyname, class,
|
||
|
new_status == STAT_NEED_KEY ? T_DNSKEY : T_DS, server->edns_pktsz);
|
||
|
|
||
|
@@ -1763,7 +1804,7 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
|
||
|
server->flags |= SERV_GOT_TCP;
|
||
|
|
||
|
m = (c1 << 8) | c2;
|
||
|
- new_status = tcp_key_recurse(now, new_status, new_header, m, class, name, keyname, server, have_mark, mark, keycount);
|
||
|
+ new_status = tcp_key_recurse(now, new_status, new_header, m, class, name, keyname, server, have_mark, mark, keycount, validatecount);
|
||
|
break;
|
||
|
}
|
||
|
|
||
|
@@ -2085,9 +2126,10 @@ unsigned char *tcp_request(int confd, time_t now,
|
||
|
#ifdef HAVE_DNSSEC
|
||
|
if (option_bool(OPT_DNSSEC_VALID) && !checking_disabled && (last_server->flags & SERV_DO_DNSSEC))
|
||
|
{
|
||
|
- int keycount = DNSSEC_WORK; /* Limit to number of DNSSEC questions, to catch loops and avoid filling cache. */
|
||
|
+ int keycount = daemon->limit[LIMIT_WORK]; /* Limit to number of DNSSEC questions, to catch loops and avoid filling cache. */
|
||
|
+ int validatecount = daemon->limit[LIMIT_CRYPTO];
|
||
|
int status = tcp_key_recurse(now, STAT_OK, header, m, 0, daemon->namebuff, daemon->keyname,
|
||
|
- last_server, have_mark, mark, &keycount);
|
||
|
+ last_server, have_mark, mark, &keycount, &validatecount);
|
||
|
char *result, *domain = "result";
|
||
|
|
||
|
if (status == STAT_ABANDONED)
|
||
|
@@ -2102,6 +2144,12 @@ unsigned char *tcp_request(int confd, time_t now,
|
||
|
domain = daemon->namebuff;
|
||
|
|
||
|
log_query(F_SECSTAT, domain, NULL, result);
|
||
|
+
|
||
|
+ if ((daemon->limit[LIMIT_CRYPTO] - validatecount) > (int)daemon->metrics[METRIC_CRYPTO_HWM])
|
||
|
+ daemon->metrics[METRIC_CRYPTO_HWM] = daemon->limit[LIMIT_CRYPTO] - validatecount;
|
||
|
+
|
||
|
+ if ((daemon->limit[LIMIT_WORK] - keycount) > (int)daemon->metrics[METRIC_WORK_HWM])
|
||
|
+ daemon->metrics[METRIC_WORK_HWM] = daemon->limit[LIMIT_WORK] - keycount;
|
||
|
|
||
|
if (status == STAT_BOGUS)
|
||
|
{
|
||
|
diff --git a/src/metrics.c b/src/metrics.c
|
||
|
index fac5b00..f32f426 100644
|
||
|
--- a/src/metrics.c
|
||
|
+++ b/src/metrics.c
|
||
|
@@ -37,6 +37,9 @@ const char * metric_names[] = {
|
||
|
"leases_pruned_4",
|
||
|
"leases_allocated_6",
|
||
|
"leases_pruned_6",
|
||
|
+ "dnssec_max_crypto_use",
|
||
|
+ "dnssec_max_sig_fail",
|
||
|
+ "dnssec_max_work"
|
||
|
};
|
||
|
|
||
|
const char* get_metric_name(int i) {
|
||
|
diff --git a/src/metrics.h b/src/metrics.h
|
||
|
index cecf8c8..ee0b93a 100644
|
||
|
--- a/src/metrics.h
|
||
|
+++ b/src/metrics.h
|
||
|
@@ -36,6 +36,9 @@ enum {
|
||
|
METRIC_LEASES_PRUNED_4,
|
||
|
METRIC_LEASES_ALLOCATED_6,
|
||
|
METRIC_LEASES_PRUNED_6,
|
||
|
+ METRIC_CRYPTO_HWM,
|
||
|
+ METRIC_SIG_FAIL_HWM,
|
||
|
+ METRIC_WORK_HWM,
|
||
|
|
||
|
__METRIC_MAX,
|
||
|
};
|
||
|
diff --git a/src/option.c b/src/option.c
|
||
|
index 25680c0..8b40332 100644
|
||
|
--- a/src/option.c
|
||
|
+++ b/src/option.c
|
||
|
@@ -170,6 +170,7 @@ struct myoption {
|
||
|
#define LOPT_PXE_VENDOR 361
|
||
|
#define LOPT_DYNHOST 362
|
||
|
#define LOPT_LOG_DEBUG 363
|
||
|
+#define LOPT_DNSSEC_LIMITS 364
|
||
|
|
||
|
#ifdef HAVE_GETOPT_LONG
|
||
|
static const struct option opts[] =
|
||
|
@@ -330,6 +331,7 @@ static const struct myoption opts[] =
|
||
|
{ "dnssec-check-unsigned", 2, 0, LOPT_DNSSEC_CHECK },
|
||
|
{ "dnssec-no-timecheck", 0, 0, LOPT_DNSSEC_TIME },
|
||
|
{ "dnssec-timestamp", 1, 0, LOPT_DNSSEC_STAMP },
|
||
|
+ { "dnssec-limits", 1, 0, LOPT_DNSSEC_LIMITS },
|
||
|
{ "dhcp-relay", 1, 0, LOPT_RELAY },
|
||
|
{ "ra-param", 1, 0, LOPT_RA_PARAM },
|
||
|
{ "quiet-dhcp", 0, 0, LOPT_QUIET_DHCP },
|
||
|
@@ -513,6 +515,7 @@ static struct {
|
||
|
{ LOPT_DNSSEC_CHECK, ARG_DUP, NULL, gettext_noop("Ensure answers without DNSSEC are in unsigned zones."), NULL },
|
||
|
{ LOPT_DNSSEC_TIME, OPT_DNSSEC_TIME, NULL, gettext_noop("Don't check DNSSEC signature timestamps until first cache-reload"), NULL },
|
||
|
{ LOPT_DNSSEC_STAMP, ARG_ONE, "<path>", gettext_noop("Timestamp file to verify system clock for DNSSEC"), NULL },
|
||
|
+ { LOPT_DNSSEC_LIMITS, ARG_ONE, "<limit>,..", gettext_noop("Set resource limits for DNSSEC validation"), NULL },
|
||
|
{ LOPT_RA_PARAM, ARG_DUP, "<iface>,[mtu:<value>|<interface>|off,][<prio>,]<intval>[,<lifetime>]", gettext_noop("Set MTU, priority, resend-interval and router-lifetime"), NULL },
|
||
|
{ LOPT_QUIET_DHCP, OPT_QUIET_DHCP, NULL, gettext_noop("Do not log routine DHCP."), NULL },
|
||
|
{ LOPT_QUIET_DHCP6, OPT_QUIET_DHCP6, NULL, gettext_noop("Do not log routine DHCPv6."), NULL },
|
||
|
@@ -4524,6 +4527,24 @@ err:
|
||
|
}
|
||
|
|
||
|
#ifdef HAVE_DNSSEC
|
||
|
+ case LOPT_DNSSEC_LIMITS:
|
||
|
+ {
|
||
|
+ int lim, val;
|
||
|
+
|
||
|
+ for (lim = LIMIT_SIG_FAIL; arg && lim < LIMIT_MAX ; lim++, arg = comma)
|
||
|
+ {
|
||
|
+ comma = split(arg);
|
||
|
+
|
||
|
+ if (!atoi_check(arg, &val))
|
||
|
+ ret_err(gen_err);
|
||
|
+
|
||
|
+ if (val != 0)
|
||
|
+ daemon->limit[lim] = val;
|
||
|
+ }
|
||
|
+
|
||
|
+ break;
|
||
|
+ }
|
||
|
+
|
||
|
case LOPT_DNSSEC_STAMP: /* --dnssec-timestamp */
|
||
|
daemon->timestamp_file = opt_string_alloc(arg);
|
||
|
break;
|
||
|
@@ -5084,6 +5105,12 @@ void read_opts(int argc, char **argv, char *compile_opts)
|
||
|
daemon->soa_refresh = SOA_REFRESH;
|
||
|
daemon->soa_retry = SOA_RETRY;
|
||
|
daemon->soa_expiry = SOA_EXPIRY;
|
||
|
+#ifdef HAVE_DNSSEC
|
||
|
+ daemon->limit[LIMIT_SIG_FAIL] = DNSSEC_LIMIT_SIG_FAIL;
|
||
|
+ daemon->limit[LIMIT_CRYPTO] = DNSSEC_LIMIT_CRYPTO;
|
||
|
+ daemon->limit[LIMIT_WORK] = DNSSEC_LIMIT_WORK;
|
||
|
+ daemon->limit[LIMIT_NSEC3_ITERS] = DNSSEC_LIMIT_NSEC3_ITERS;
|
||
|
+#endif
|
||
|
|
||
|
#ifndef NO_ID
|
||
|
add_txt("version.bind", "dnsmasq-" VERSION, 0 );
|
||
|
diff --git a/src/rrfilter.c b/src/rrfilter.c
|
||
|
index 58c6d8f..32ef34a 100644
|
||
|
--- a/src/rrfilter.c
|
||
|
+++ b/src/rrfilter.c
|
||
|
@@ -136,9 +136,9 @@ static int check_rrs(unsigned char *p, struct dns_header *header, size_t plen, i
|
||
|
|
||
|
if (class == C_IN)
|
||
|
{
|
||
|
- u16 *d;
|
||
|
+ short *d;
|
||
|
|
||
|
- for (pp = p, d = rrfilter_desc(type); *d != (u16)-1; d++)
|
||
|
+ for (pp = p, d = rrfilter_desc(type); *d != -1; d++)
|
||
|
{
|
||
|
if (*d != 0)
|
||
|
pp += *d;
|
||
|
@@ -266,7 +266,7 @@ size_t rrfilter(struct dns_header *header, size_t plen, int mode)
|
||
|
}
|
||
|
|
||
|
/* This is used in the DNSSEC code too, hence it's exported */
|
||
|
-u16 *rrfilter_desc(int type)
|
||
|
+short *rrfilter_desc(int type)
|
||
|
{
|
||
|
/* List of RRtypes which include domains in the data.
|
||
|
0 -> domain
|
||
|
@@ -277,7 +277,7 @@ u16 *rrfilter_desc(int type)
|
||
|
anything which needs no mangling.
|
||
|
*/
|
||
|
|
||
|
- static u16 rr_desc[] =
|
||
|
+ static short rr_desc[] =
|
||
|
{
|
||
|
T_NS, 0, -1,
|
||
|
T_MD, 0, -1,
|
||
|
@@ -302,10 +302,10 @@ u16 *rrfilter_desc(int type)
|
||
|
0, -1 /* wildcard/catchall */
|
||
|
};
|
||
|
|
||
|
- u16 *p = rr_desc;
|
||
|
+ short *p = rr_desc;
|
||
|
|
||
|
while (*p != type && *p != 0)
|
||
|
- while (*p++ != (u16)-1);
|
||
|
+ while (*p++ != -1);
|
||
|
|
||
|
return p+1;
|
||
|
}
|