dnsmasq/SOURCES/dnsmasq-2.90-CVE-2023-50387...

2319 lines
82 KiB
Diff

commit 5eab3c6f13562230f1eeab3788585f73ffbf469d
Author: Tomas Korbar <tkorbar@redhat.com>
Date: Wed Feb 28 16:51:17 2024 +0100
Fix CVE 2023-50387 and CVE 2023-50868
Add limits on the resources used to do DNSSEC validation.
DNSSEC introduces a potential CPU DoS, because a crafted domain
can force a validator to a large number of cryptographic
operations whilst attempting to do validation. When using TCP
transport a DNSKEY RRset contain thousands of members and any
RRset can have thousands of signatures. The potential number
of signature validations to follow the RFC for validation
for one RRset is the cross product of the keys and signatures,
so millions. In practice, the actual numbers are much lower,
so attacks can be mitigated by limiting the amount of
cryptographic "work" to a much lower amount. The actual
limits are number a signature validation fails per RRset(20),
number of signature validations and hash computations
per query(200), number of sub-queries to fetch DS and DNSKEY
RRsets per query(40), and the number of iterations in a
NSEC3 record(150). These values are sensible, but there is, as yet,
no standardisation on the values for a "conforming" domain, so a
new option --dnssec-limit is provided should they need to be altered.
The algorithm to validate DS records has also been altered to reduce
the maximum work from cross product of the number of DS records and
number of DNSKEYs to the cross product of the number of DS records
and supported DS digest types. As the number of DS digest types
is in single figures, this reduces the exposure.
Credit is due to Elias Heftrig, Haya Schulmann, Niklas Vogel,
and Michael Waidner from the German National Research Center for
Applied Cybersecurity ATHENE for finding this vulnerability.
CVE 2023-50387 and CVE 2023-50868 apply.
Note that the is a security vulnerablity only when DNSSEC validation
is enabled.
diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
index d80cad5..db94a99 100644
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -762,6 +762,15 @@ Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clien
alternative to having dnsmasq validate DNSSEC, but it depends on the security of the network between
dnsmasq and the upstream servers, and the trustworthiness of the upstream servers.
.TP
+.B --dnssec-limits=<limit>[,<limit>.......]
+Override the default resource limits applied to DNSSEC validation. Cryptographic operations are expensive and crafted domains
+can DoS a DNSSEC validator by forcing it to do hundreds of thousands of such operations. To avoid this, the dnsmasq validation code
+applies limits on how much work will be expended in validation. If any of the limits are exceeded, the validation will fail and the
+domain treated as BOGUS. There are four limits, in order(default values in parens): number a signature validation fails per RRset(20), number of signature validations and
+hash computations per query(200), number of sub-queries to fetch DS and DNSKEY RRsets per query(40), and the number of iterations in a NSEC3 record(150).
+The maximum values reached during validation are stored, and dumped as part of the stats generated by SIGUSR1. Supplying a limit value of 0 leaves the default in place, so
+\fB--dnssec-limits=0,0,20\fP sets the number of sub-queries to 20 whilst leaving the other limits at default values.
+.TP
.B --dnssec-debug
Set debugging mode for the DNSSEC validation, set the Checking Disabled bit on upstream queries,
and don't convert replies which do not validate to responses with
diff --git a/src/config.h b/src/config.h
index 3878ba4..8d7bd79 100644
--- a/src/config.h
+++ b/src/config.h
@@ -22,7 +22,10 @@
#define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from /dnsflagday.net/2020 */
#define SAFE_PKTSZ 1280 /* "go anywhere" UDP packet size */
#define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */
-#define DNSSEC_WORK 50 /* Max number of queries to validate one question */
+#define DNSSEC_LIMIT_WORK 40 /* Max number of queries to validate one question */
+#define DNSSEC_LIMIT_SIG_FAIL 20 /* Number of signature that can fail to validate in one answer */
+#define DNSSEC_LIMIT_CRYPTO 200 /* max no. of crypto operations to validate one query. */
+#define DNSSEC_LIMIT_NSEC3_ITERS 150 /* Max. number if iterations allowed in NSEC3 record. */
#define TIMEOUT 10 /* drop UDP queries after TIMEOUT seconds */
#define FORWARD_TEST 50 /* try all servers every 50 queries */
#define FORWARD_TIME 20 /* or 20 seconds */
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index 711ffd3..cf1c9c4 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -626,15 +626,30 @@ struct hostsfile {
/* DNSSEC status values. */
-#define STAT_SECURE 1
-#define STAT_INSECURE 2
-#define STAT_BOGUS 3
-#define STAT_NEED_DS 4
-#define STAT_NEED_KEY 5
-#define STAT_TRUNCATED 6
-#define STAT_SECURE_WILDCARD 7
-#define STAT_OK 8
-#define STAT_ABANDONED 9
+#define STAT_SECURE 0x10000
+#define STAT_INSECURE 0x20000
+#define STAT_BOGUS 0x30000
+#define STAT_NEED_DS 0x40000
+#define STAT_NEED_KEY 0x50000
+#define STAT_TRUNCATED 0x60000
+#define STAT_SECURE_WILDCARD 0x70000
+#define STAT_OK 0x80000
+#define STAT_ABANDONED 0x90000
+
+#define DNSSEC_FAIL_NYV 0x0001 /* key not yet valid */
+#define DNSSEC_FAIL_EXP 0x0002 /* key expired */
+#define DNSSEC_FAIL_INDET 0x0004 /* indetermined */
+#define DNSSEC_FAIL_NOKEYSUP 0x0008 /* no supported key algo. */
+#define DNSSEC_FAIL_NOSIG 0x0010 /* No RRsigs */
+#define DNSSEC_FAIL_NOZONE 0x0020 /* No Zone bit set */
+#define DNSSEC_FAIL_NONSEC 0x0040 /* No NSEC */
+#define DNSSEC_FAIL_NODSSUP 0x0080 /* no supported DS algo. */
+#define DNSSEC_FAIL_NOKEY 0x0100 /* no DNSKEY */
+#define DNSSEC_FAIL_NSEC3_ITERS 0x0200 /* too many iterations in NSEC3 */
+#define DNSSEC_FAIL_BADPACKET 0x0400 /* bad packet */
+#define DNSSEC_FAIL_WORK 0x0800 /* too much crypto */
+
+#define STAT_ISEQUAL(a, b) (((a) & 0xffff0000) == (b))
#define FREC_NOREBIND 1
#define FREC_CHECKING_DISABLED 2
@@ -666,7 +681,7 @@ struct frec {
time_t time;
unsigned char *hash[HASH_SIZE];
#ifdef HAVE_DNSSEC
- int class, work_counter;
+ int class, work_counter, validate_counter;
struct blockdata *stash; /* Saved reply, whilst we validate */
size_t stash_len;
struct frec *dependent; /* Query awaiting internally-generated DNSKEY or DS query */
@@ -702,6 +717,12 @@ struct frec {
#define LEASE_TA 64 /* IPv6 temporary lease */
#define LEASE_HAVE_HWADDR 128 /* Have set hwaddress */
+#define LIMIT_SIG_FAIL 0
+#define LIMIT_CRYPTO 1
+#define LIMIT_WORK 2
+#define LIMIT_NSEC3_ITERS 3
+#define LIMIT_MAX 4
+
struct dhcp_lease {
int clid_len; /* length of client identifier */
unsigned char *clid; /* clientid */
@@ -1055,6 +1076,7 @@ extern struct daemon {
struct ds_config *ds;
int dnssec_no_time_check;
int back_to_the_future;
+ int limit[LIMIT_MAX];
char *timestamp_file;
#endif
@@ -1210,10 +1232,12 @@ int in_zone(struct auth_zone *zone, char *name, char **cut);
/* dnssec.c */
size_t dnssec_generate_query(struct dns_header *header, unsigned char *end, char *name, int class, int type, union mysockaddr *addr, int edns_pktsz);
-int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class);
-int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class);
+int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, char *name,
+ char *keyname, int class, int *validate_count);
+int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char *name,
+ char *keyname, int class, int *validate_count);
int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int *class,
- int check_unsigned, int *neganswer, int *nons);
+ int check_unsigned, int *neganswer, int *nons, int *nsec_ttl, int *validate_count);
int dnskey_keytag(int alg, int flags, unsigned char *key, int keylen);
size_t filter_rrsigs(struct dns_header *header, size_t plen);
int setup_timestamp(void);
@@ -1602,7 +1626,7 @@ int do_poll(int timeout);
/* rrfilter.c */
size_t rrfilter(struct dns_header *header, size_t plen, int mode);
-u16 *rrfilter_desc(int type);
+short *rrfilter_desc(int type);
int expand_workspace(unsigned char ***wkspc, int *szp, int new);
/* edns0.c */
diff --git a/src/dnssec.c b/src/dnssec.c
index b2dda1b..fd6e722 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -186,10 +186,8 @@ int setup_timestamp(void)
}
/* Check whether today/now is between date_start and date_end */
-static int check_date_range(u32 date_start, u32 date_end)
+static int is_check_date(unsigned long curtime)
{
- unsigned long curtime = time(0);
-
/* Checking timestamps may be temporarily disabled */
/* If the current time if _before_ the timestamp
@@ -211,15 +209,10 @@ static int check_date_range(u32 date_start, u32 date_end)
queue_event(EVENT_RELOAD); /* purge cache */
}
- if (daemon->back_to_the_future == 0)
- return 1;
+ return daemon->back_to_the_future;
}
- else if (daemon->dnssec_no_time_check)
- return 1;
-
- /* We must explicitly check against wanted values, because of SERIAL_UNDEF */
- return serial_compare_32(curtime, date_start) == SERIAL_GT
- && serial_compare_32(curtime, date_end) == SERIAL_LT;
+ else
+ return !daemon->dnssec_no_time_check;
}
/* Return bytes of canonicalised rrdata one by one.
@@ -232,7 +225,7 @@ static int check_date_range(u32 date_start, u32 date_end)
On returning 0, the end has been reached.
*/
struct rdata_state {
- u16 *desc;
+ short *desc;
size_t c;
unsigned char *end, *ip, *op;
char *buff;
@@ -253,7 +246,7 @@ static int get_rdata(struct dns_header *header, size_t plen, struct rdata_state
{
d = *(state->desc);
- if (d == (u16)-1)
+ if (d == -1)
{
/* all the bytes to the end. */
if ((state->c = state->end - state->ip) != 0)
@@ -301,7 +294,7 @@ static int get_rdata(struct dns_header *header, size_t plen, struct rdata_state
/* Bubble sort the RRset into the canonical order. */
-static int sort_rrset(struct dns_header *header, size_t plen, u16 *rr_desc, int rrsetidx,
+static int sort_rrset(struct dns_header *header, size_t plen, short *rr_desc, int rrsetidx,
unsigned char **rrset, char *buff1, char *buff2)
{
int swap, i, j;
@@ -333,37 +326,64 @@ static int sort_rrset(struct dns_header *header, size_t plen, u16 *rr_desc, int
if (!CHECK_LEN(header, state2.ip, plen, rdlen2))
return rrsetidx; /* short packet */
state2.end = state2.ip + rdlen2;
-
- while (1)
+
+ /* If the RR has no names in it then canonicalisation
+ is the identity function and we can compare
+ the RRs directly. If not we compare the
+ canonicalised RRs one byte at a time. */
+ if (*rr_desc == -1)
{
- int ok1, ok2;
+ int rdmin = rdlen1 > rdlen2 ? rdlen2 : rdlen1;
+ int cmp = memcmp(state1.ip, state2.ip, rdmin);
- ok1 = get_rdata(header, plen, &state1);
- ok2 = get_rdata(header, plen, &state2);
-
- if (!ok1 && !ok2)
+ if (cmp > 0 || (cmp == 0 && rdlen1 > rdmin))
+ {
+ unsigned char *tmp = rrset[i+1];
+ rrset[i+1] = rrset[i];
+ rrset[i] = tmp;
+ swap = 1;
+ }
+ else if (cmp == 0 && (rdlen1 == rdlen2))
{
/* Two RRs are equal, remove one copy. RFC 4034, para 6.3 */
for (j = i+1; j < rrsetidx-1; j++)
rrset[j] = rrset[j+1];
rrsetidx--;
i--;
- break;
}
- else if (ok1 && (!ok2 || *state1.op > *state2.op))
- {
- unsigned char *tmp = rrset[i+1];
- rrset[i+1] = rrset[i];
- rrset[i] = tmp;
- swap = 1;
- break;
- }
- else if (ok2 && (!ok1 || *state2.op > *state1.op))
- break;
-
- /* arrive here when bytes are equal, go round the loop again
- and compare the next ones. */
}
+ else
+ /* Comparing canonicalised RRs, byte-at-a-time. */
+ while (1)
+ {
+ int ok1, ok2;
+
+ ok1 = get_rdata(header, plen, &state1);
+ ok2 = get_rdata(header, plen, &state2);
+
+ if (!ok1 && !ok2)
+ {
+ /* Two RRs are equal, remove one copy. RFC 4034, para 6.3 */
+ for (j = i+1; j < rrsetidx-1; j++)
+ rrset[j] = rrset[j+1];
+ rrsetidx--;
+ i--;
+ break;
+ }
+ else if (ok1 && (!ok2 || *state1.op > *state2.op))
+ {
+ unsigned char *tmp = rrset[i+1];
+ rrset[i+1] = rrset[i];
+ rrset[i] = tmp;
+ swap = 1;
+ break;
+ }
+ else if (ok2 && (!ok1 || *state2.op > *state1.op))
+ break;
+
+ /* arrive here when bytes are equal, go round the loop again
+ and compare the next ones. */
+ }
}
} while (swap);
@@ -383,7 +403,7 @@ static int explore_rrset(struct dns_header *header, size_t plen, int class, int
int gotkey = 0;
if (!(p = skip_questions(header, plen)))
- return STAT_BOGUS;
+ return 0;
/* look for RRSIGs for this RRset and get pointers to each RR in the set. */
for (rrsetidx = 0, sigidx = 0, j = ntohs(header->ancount) + ntohs(header->nscount);
@@ -395,14 +415,14 @@ static int explore_rrset(struct dns_header *header, size_t plen, int class, int
pstart = p;
if (!(res = extract_name(header, plen, &p, name, 0, 10)))
- return STAT_BOGUS; /* bad packet */
+ return 0; /* bad packet */
GETSHORT(stype, p);
GETSHORT(sclass, p);
- p += 4; /* TTL */
-
+
pdata = p;
+ p += 4; /* TTL */
GETSHORT(rdlen, p);
if (!CHECK_LEN(header, p, plen, rdlen))
@@ -465,7 +485,7 @@ static int explore_rrset(struct dns_header *header, size_t plen, int class, int
sigs[sigidx++] = pdata;
}
- p = pdata + 2; /* restore for ADD_RDLEN */
+ p = pdata + 6; /* restore for ADD_RDLEN */
}
}
@@ -479,12 +499,24 @@ static int explore_rrset(struct dns_header *header, size_t plen, int class, int
return 1;
}
+int dec_counter(int *counter, char *message)
+{
+ if ((*counter)-- == 0)
+ {
+ my_syslog(LOG_WARNING, "limit exceeded: %s", message ? message : _("per-query crypto work"));
+ return 1;
+ }
+
+ return 0;
+}
+
/* Validate a single RRset (class, type, name) in the supplied DNS reply
Return code:
STAT_SECURE if it validates.
STAT_SECURE_WILDCARD if it validates and is the result of wildcard expansion.
(In this case *wildcard_out points to the "body" of the wildcard within name.)
STAT_BOGUS signature is wrong, bad packet.
+ STAT_ABANDONED validation abandoned do to excess resource usage.
STAT_NEED_KEY need DNSKEY to complete validation (name is returned in keyname)
STAT_NEED_DS need DS to complete validation (name is returned in keyname)
@@ -494,16 +526,23 @@ static int explore_rrset(struct dns_header *header, size_t plen, int class, int
Name is unchanged on exit. keyname is used as workspace and trashed.
Call explore_rrset first to find and count RRs and sigs.
+
+ ttl_out is the floor on TTL, based on TTL and orig_ttl and expiration of sig used to validate.
*/
static int validate_rrset(time_t now, struct dns_header *header, size_t plen, int class, int type, int sigidx, int rrsetidx,
- char *name, char *keyname, char **wildcard_out, struct blockdata *key, int keylen, int algo_in, int keytag_in)
+ char *name, char *keyname, char **wildcard_out, struct blockdata *key, int keylen,
+ int algo_in, int keytag_in, unsigned long *ttl_out, int *validate_counter)
{
unsigned char *p;
- int rdlen, j, name_labels, algo, labels, orig_ttl, key_tag;
+ int rdlen, j, name_labels, algo, labels, key_tag, sig_fail_cnt;
struct crec *crecp = NULL;
- u16 *rr_desc = rrfilter_desc(type);
- u32 sig_expiration, sig_inception
-;
+ short *rr_desc = rrfilter_desc(type);
+ u32 sig_expiration, sig_inception;
+ int failflags = DNSSEC_FAIL_NOSIG | DNSSEC_FAIL_NYV | DNSSEC_FAIL_EXP | DNSSEC_FAIL_NOKEYSUP;
+
+ unsigned long curtime = time(0);
+ int time_check = is_check_date(curtime);
+
if (wildcard_out)
*wildcard_out = NULL;
@@ -515,16 +554,19 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
rrsetidx = sort_rrset(header, plen, rr_desc, rrsetidx, rrset, daemon->workspacename, keyname);
/* Now try all the sigs to try and find one which validates */
- for (j = 0; j <sigidx; j++)
+ for (sig_fail_cnt = daemon->limit[LIMIT_SIG_FAIL], j = 0; j <sigidx; j++)
{
unsigned char *psav, *sig, *digest;
int i, wire_len, sig_len;
const struct nettle_hash *hash;
void *ctx;
char *name_start;
- u32 nsigttl;
+ u32 nsigttl, ttl, orig_ttl;
+
+ failflags &= ~DNSSEC_FAIL_NOSIG;
p = sigs[j];
+ GETLONG(ttl, p);
GETSHORT(rdlen, p); /* rdlen >= 18 checked previously */
psav = p;
@@ -539,16 +581,47 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
if (!extract_name(header, plen, &p, keyname, 1, 0))
return STAT_BOGUS;
- if (!check_date_range(sig_inception, sig_expiration) ||
- labels > name_labels ||
- !(hash = hash_find(algo_digest_name(algo))) ||
+ if (!time_check)
+ failflags &= ~(DNSSEC_FAIL_NYV | DNSSEC_FAIL_EXP);
+ else
+ {
+ /* We must explicitly check against wanted values, because of SERIAL_UNDEF */
+ if (serial_compare_32(curtime, sig_inception) == SERIAL_LT)
+ continue;
+ else
+ failflags &= ~DNSSEC_FAIL_NYV;
+
+ if (serial_compare_32(curtime, sig_expiration) == SERIAL_GT)
+ continue;
+ else
+ failflags &= ~DNSSEC_FAIL_EXP;
+ }
+
+ if (!(hash = hash_find(algo_digest_name(algo))))
+ continue;
+ else
+ failflags &= ~DNSSEC_FAIL_NOKEYSUP;
+
+ if (labels > name_labels ||
!hash_init(hash, &ctx, &digest))
continue;
/* OK, we have the signature record, see if the relevant DNSKEY is in the cache. */
if (!key && !(crecp = cache_find_by_name(NULL, keyname, now, F_DNSKEY)))
return STAT_NEED_KEY;
-
+
+ if (ttl_out)
+ {
+ /* 4035 5.3.3 rules on TTLs */
+ if (orig_ttl < ttl)
+ ttl = orig_ttl;
+
+ if (time_check && difftime(sig_expiration, curtime) < ttl)
+ ttl = difftime(sig_expiration, curtime);
+
+ *ttl_out = ttl;
+ }
+
sig = p;
sig_len = rdlen - (p - psav);
@@ -559,7 +632,7 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
hash->update(ctx, (unsigned int)wire_len, (unsigned char*)keyname);
from_wire(keyname);
-#define RRBUFLEN 300 /* Most RRs are smaller than this. */
+#define RRBUFLEN 128 /* Most RRs are smaller than this. */
for (i = 0; i < rrsetidx; ++i)
{
@@ -597,63 +670,85 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
hash->update(ctx, (unsigned int)wire_len, (unsigned char *)name_start);
hash->update(ctx, 4, p); /* class and type */
hash->update(ctx, 4, (unsigned char *)&nsigttl);
-
- p += 8; /* skip class, type, ttl */
+
+ p += 8; /* skip type, class, ttl */
GETSHORT(rdlen, p);
if (!CHECK_LEN(header, p, plen, rdlen))
return STAT_BOGUS;
-
- /* canonicalise rdata and calculate length of same, use
- name buffer as workspace for get_rdata. */
- state.ip = p;
- state.op = NULL;
- state.desc = rr_desc;
- state.buff = name;
- state.end = p + rdlen;
-
- for (j = 0; get_rdata(header, plen, &state); j++)
- if (j < RRBUFLEN)
- rrbuf[j] = *state.op;
- len = htons((u16)j);
- hash->update(ctx, 2, (unsigned char *)&len);
-
- /* If the RR is shorter than RRBUFLEN (most of them, in practice)
- then we can just digest it now. If it exceeds RRBUFLEN we have to
- go back to the start and do it in chunks. */
- if (j >= RRBUFLEN)
+ /* Optimisation for RR types which need no cannonicalisation.
+ This includes DNSKEY DS NSEC and NSEC3, which are also long, so
+ it saves lots of calls to get_rdata, and avoids the pessimal
+ segmented insertion, even with a small rrbuf[].
+
+ If canonicalisation is not needed, a simple insertion into the hash works.
+ */
+ if (*rr_desc == -1)
+ {
+ len = htons(rdlen);
+ hash->update(ctx, 2, (unsigned char *)&len);
+ hash->update(ctx, rdlen, p);
+ }
+ else
{
+ /* canonicalise rdata and calculate length of same, use
+ name buffer as workspace for get_rdata. */
state.ip = p;
state.op = NULL;
state.desc = rr_desc;
-
+ state.buff = name;
+ state.end = p + rdlen;
+
for (j = 0; get_rdata(header, plen, &state); j++)
+ if (j < RRBUFLEN)
+ rrbuf[j] = *state.op;
+
+ len = htons((u16)j);
+ hash->update(ctx, 2, (unsigned char *)&len);
+
+ /* If the RR is shorter than RRBUFLEN (most of them, in practice)
+ then we can just digest it now. If it exceeds RRBUFLEN we have to
+ go back to the start and do it in chunks. */
+ if (j >= RRBUFLEN)
{
- rrbuf[j] = *state.op;
-
- if (j == RRBUFLEN - 1)
- {
- hash->update(ctx, RRBUFLEN, rrbuf);
- j = -1;
- }
+ state.ip = p;
+ state.op = NULL;
+ state.desc = rr_desc;
+
+ for (j = 0; get_rdata(header, plen, &state); j++)
+ {
+ rrbuf[j] = *state.op;
+
+ if (j == RRBUFLEN - 1)
+ {
+ hash->update(ctx, RRBUFLEN, rrbuf);
+ j = -1;
+ }
+ }
}
+
+ if (j != 0)
+ hash->update(ctx, j, rrbuf);
}
-
- if (j != 0)
- hash->update(ctx, j, rrbuf);
}
hash->digest(ctx, hash->digest_size, digest);
/* namebuff used for workspace above, restore to leave unchanged on exit */
p = (unsigned char*)(rrset[0]);
- extract_name(header, plen, &p, name, 1, 0);
+ if (!extract_name(header, plen, &p, name, 1, 0))
+ return STAT_BOGUS;
if (key)
{
- if (algo_in == algo && keytag_in == key_tag &&
- verify(key, keylen, sig, sig_len, digest, hash->digest_size, algo))
- return STAT_SECURE;
+ if (algo_in == algo && keytag_in == key_tag)
+ {
+ if (dec_counter(validate_counter, NULL))
+ return STAT_ABANDONED;
+
+ if (verify(key, keylen, sig, sig_len, digest, hash->digest_size, algo))
+ return STAT_SECURE;
+ }
}
else
{
@@ -661,13 +756,25 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
for (; crecp; crecp = cache_find_by_name(crecp, keyname, now, F_DNSKEY))
if (crecp->addr.key.algo == algo &&
crecp->addr.key.keytag == key_tag &&
- crecp->uid == (unsigned int)class &&
- verify(crecp->addr.key.keydata, crecp->addr.key.keylen, sig, sig_len, digest, hash->digest_size, algo))
- return (labels < name_labels) ? STAT_SECURE_WILDCARD : STAT_SECURE;
+ crecp->uid == (unsigned int)class)
+ {
+ if (dec_counter(validate_counter, NULL))
+ return STAT_ABANDONED;
+
+ if (verify(crecp->addr.key.keydata, crecp->addr.key.keylen, sig, sig_len, digest, hash->digest_size, algo))
+ return (labels < name_labels) ? STAT_SECURE_WILDCARD : STAT_SECURE;
+
+ /* An attacker can waste a lot of our CPU by setting up a giant DNSKEY RRSET full of failing
+ keys, all of which we have to try. Since many failing keys is not likely for
+ a legitimate domain, set a limit on how many can fail. */
+ if (dec_counter(&sig_fail_cnt, _("per-RRSet signature fails")))
+ return STAT_ABANDONED;
+ }
}
}
- return STAT_BOGUS;
+ /* If we reach this point, no verifying key was found */
+ return STAT_BOGUS | failflags | DNSSEC_FAIL_NOKEY;
}
@@ -677,36 +784,45 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
STAT_OK Done, key(s) in cache.
STAT_BOGUS No DNSKEYs found, which can be validated with DS,
or self-sign for DNSKEY RRset is not valid, bad packet.
+ STAT_ABANDONED resource exhaustion.
STAT_NEED_DS DS records to validate a key not found, name in keyname
- STAT_NEED_KEY DNSKEY records to validate a key not found, name in keyname
*/
-int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class)
+int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, char *name,
+ char *keyname, int class, int *validate_counter)
{
- unsigned char *psave, *p = (unsigned char *)(header+1);
+ unsigned char *psave, *p = (unsigned char *)(header+1), *keyaddr;
struct crec *crecp, *recp1;
- int rc, j, qtype, qclass, ttl, rdlen, flags, algo, valid, keytag;
- struct blockdata *key;
+ int rc, j, qtype, qclass, rdlen, flags, algo, keytag, sigcnt, rrcnt;
+ unsigned long ttl, sig_ttl;
struct all_addr a;
+ int failflags = DNSSEC_FAIL_NODSSUP | DNSSEC_FAIL_NOZONE;
+ char valid_digest[255];
+ static unsigned char **cached_digest;
+ static size_t cached_digest_size = 0;
- if (ntohs(header->qdcount) != 1 ||
- !extract_name(header, plen, &p, name, 1, 4))
- return STAT_BOGUS;
+ if (ntohs(header->qdcount) != 1 || RCODE(header) != NOERROR || !extract_name(header, plen, &p, name, 1, 4))
+ return STAT_BOGUS | DNSSEC_FAIL_NOKEY;
GETSHORT(qtype, p);
GETSHORT(qclass, p);
- if (qtype != T_DNSKEY || qclass != class || ntohs(header->ancount) == 0)
- return STAT_BOGUS;
+ if (qtype != T_DNSKEY || qclass != class ||
+ !explore_rrset(header, plen, class, T_DNSKEY, name, keyname, &sigcnt, &rrcnt) ||
+ rrcnt == 0)
+ return STAT_BOGUS | DNSSEC_FAIL_NOKEY;
+ if (sigcnt == 0)
+ return STAT_BOGUS | DNSSEC_FAIL_NOSIG;
+
/* See if we have cached a DS record which validates this key */
if (!(crecp = cache_find_by_name(NULL, name, now, F_DS)))
{
strcpy(keyname, name);
return STAT_NEED_DS;
}
-
+
/* NOTE, we need to find ONE DNSKEY which matches the DS */
- for (valid = 0, j = ntohs(header->ancount); j != 0 && !valid; j--)
+ for (j = ntohs(header->ancount); j != 0; j--)
{
/* Ensure we have type, class TTL and length */
if (!(rc = extract_name(header, plen, &p, name, 0, 10)))
@@ -717,7 +833,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
GETLONG(ttl, p);
GETSHORT(rdlen, p);
- if (!CHECK_LEN(header, p, plen, rdlen) || rdlen < 4)
+ if (!CHECK_LEN(header, p, plen, rdlen))
return STAT_BOGUS; /* bad packet */
if (qclass != class || qtype != T_DNSKEY || rc == 2)
@@ -725,171 +841,233 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
p += rdlen;
continue;
}
-
+
+ if (rdlen < 5)
+ return STAT_BOGUS; /* min 1 byte key! */
+
psave = p;
GETSHORT(flags, p);
if (*p++ != 3)
- return STAT_BOGUS;
- algo = *p++;
- keytag = dnskey_keytag(algo, flags, p, rdlen - 4);
- key = NULL;
-
- /* key must have zone key flag set */
- if (flags & 0x100)
- key = blockdata_alloc((char*)p, rdlen - 4);
-
- p = psave;
-
- if (!ADD_RDLEN(header, p, plen, rdlen))
{
- if (key)
- blockdata_free(key);
- return STAT_BOGUS; /* bad packet */
+ p = psave + rdlen;
+ continue;
}
+ algo = *p++;
+ keyaddr = p;
+ keytag = dnskey_keytag(algo, flags, keyaddr, rdlen - 4);
+
+ p = psave + rdlen;
- /* No zone key flag or malloc failure */
- if (!key)
+ /* key must have zone key flag set */
+ if (!(flags & 0x100))
continue;
+ failflags &= ~DNSSEC_FAIL_NOZONE;
+
+ /* clear digest cache. */
+ memset(valid_digest, 0, sizeof(valid_digest));
+
for (recp1 = crecp; recp1; recp1 = cache_find_by_name(recp1, name, now, F_DS))
{
void *ctx;
unsigned char *digest, *ds_digest;
const struct nettle_hash *hash;
- int sigcnt, rrcnt;
+ int wire_len;
+
+ if ((recp1->flags & F_NEG) ||
+ recp1->addr.ds.algo != algo ||
+ recp1->addr.ds.keytag != keytag ||
+ recp1->uid != (unsigned int)class)
+ continue;
+
+ if (!(hash = hash_find(ds_digest_name(recp1->addr.ds.digest))))
+ continue;
+
+ failflags &= ~DNSSEC_FAIL_NODSSUP;
+
+ if (recp1->addr.ds.keylen != (int)hash->digest_size ||
+ !(ds_digest = blockdata_retrieve(recp1->addr.ds.keydata, recp1->addr.ds.keylen, NULL)))
+ continue;
- if (recp1->addr.ds.algo == algo &&
- recp1->addr.ds.keytag == keytag &&
- recp1->uid == (unsigned int)class &&
- (hash = hash_find(ds_digest_name(recp1->addr.ds.digest))) &&
- hash_init(hash, &ctx, &digest))
-
+ if (valid_digest[recp1->addr.ds.digest])
+ digest = cached_digest[recp1->addr.ds.digest];
+ else
{
- int wire_len = to_wire(name);
+ /* computing a hash is a unit of crypto work. */
+ if (dec_counter(validate_counter, NULL))
+ return STAT_ABANDONED;
+
+ if (!hash_init(hash, &ctx, &digest))
+ continue;
+
+ wire_len = to_wire(name);
/* Note that digest may be different between DSs, so
- we can't move this outside the loop. */
+ we can't move this outside the loop. We keep
+ copies of each digest we make for this key,
+ so maximum digest work is O(keys x digests_types)
+ rather then O(keys x DSs) */
hash->update(ctx, (unsigned int)wire_len, (unsigned char *)name);
hash->update(ctx, (unsigned int)rdlen, psave);
hash->digest(ctx, hash->digest_size, digest);
from_wire(name);
-
- if (!(recp1->flags & F_NEG) &&
- recp1->addr.ds.keylen == (int)hash->digest_size &&
- (ds_digest = blockdata_retrieve(recp1->addr.key.keydata, recp1->addr.ds.keylen, NULL)) &&
- memcmp(ds_digest, digest, recp1->addr.ds.keylen) == 0 &&
- explore_rrset(header, plen, class, T_DNSKEY, name, keyname, &sigcnt, &rrcnt) &&
- sigcnt != 0 && rrcnt != 0 &&
- validate_rrset(now, header, plen, class, T_DNSKEY, sigcnt, rrcnt, name, keyname,
- NULL, key, rdlen - 4, algo, keytag) == STAT_SECURE)
+
+ if (recp1->addr.ds.digest >= cached_digest_size)
{
- valid = 1;
- break;
+ unsigned char **new;
+
+ /* whine_malloc zeros memory */
+ if ((new = whine_malloc((recp1->addr.ds.digest + 5) * sizeof(unsigned char *))))
+ {
+ if (cached_digest_size != 0)
+ {
+ memcpy(new, cached_digest, cached_digest_size * sizeof(unsigned char *));
+ free(cached_digest);
+ }
+
+ cached_digest_size = recp1->addr.ds.digest + 5;
+ cached_digest = new;
+ }
+ }
+
+ if (recp1->addr.ds.digest < cached_digest_size)
+ {
+ if (!cached_digest[recp1->addr.ds.digest])
+ cached_digest[recp1->addr.ds.digest] = whine_malloc(recp1->addr.ds.keylen);
+
+ if (cached_digest[recp1->addr.ds.digest])
+ {
+ memcpy(cached_digest[recp1->addr.ds.digest], digest, recp1->addr.ds.keylen);
+ valid_digest[recp1->addr.ds.digest] = 1;
+ }
}
}
- }
- blockdata_free(key);
- }
-
- if (valid)
- {
- /* DNSKEY RRset determined to be OK, now cache it. */
- cache_start_insert();
-
- p = skip_questions(header, plen);
-
- for (j = ntohs(header->ancount); j != 0; j--)
- {
- /* Ensure we have type, class TTL and length */
- if (!(rc = extract_name(header, plen, &p, name, 0, 10)))
- return STAT_BOGUS; /* bad packet */
- GETSHORT(qtype, p);
- GETSHORT(qclass, p);
- GETLONG(ttl, p);
- GETSHORT(rdlen, p);
-
- if (!CHECK_LEN(header, p, plen, rdlen))
- return STAT_BOGUS; /* bad packet */
-
- if (qclass == class && rc == 1)
+ if (memcmp(ds_digest, digest, recp1->addr.ds.keylen) == 0)
{
- psave = p;
+ /* Found the key validated by a DS record.
+ Now check the self-sig for the entire key RRset using that key.
+ Note that validate_rrset() will never return STAT_NEED_KEY here,
+ since we supply the key it will use as an argument. */
+ struct blockdata *key;
+
+ if (!(key = blockdata_alloc((char *)keyaddr, rdlen - 4)))
+ break;
+
+ rc = validate_rrset(now, header, plen, class, T_DNSKEY, sigcnt, rrcnt, name, keyname,
+ NULL, key, rdlen - 4, algo, keytag, &sig_ttl, validate_counter);
+
+ blockdata_free(key);
+
+ if (STAT_ISEQUAL(rc, STAT_ABANDONED))
+ return rc;
+
+ /* can't validate KEY RRset with this key, see if there's another that
+ will, which is validated by another DS. */
+ if (!STAT_ISEQUAL(rc, STAT_SECURE))
+ break;
- if (qtype == T_DNSKEY)
+ /* DNSKEY RRset determined to be OK, now cache it. */
+ cache_start_insert();
+
+ p = skip_questions(header, plen);
+
+ for (j = ntohs(header->ancount); j != 0; j--)
{
- if (rdlen < 4)
+ /* Ensure we have type, class TTL and length */
+ if (!(rc = extract_name(header, plen, &p, name, 0, 10)))
return STAT_BOGUS; /* bad packet */
- GETSHORT(flags, p);
- if (*p++ != 3)
- return STAT_BOGUS;
- algo = *p++;
- keytag = dnskey_keytag(algo, flags, p, rdlen - 4);
+ GETSHORT(qtype, p);
+ GETSHORT(qclass, p);
+ GETLONG(ttl, p);
+ GETSHORT(rdlen, p);
- /* Cache needs to known class for DNSSEC stuff */
- a.addr.dnssec.class = class;
+ /* TTL may be limited by sig. */
+ if (sig_ttl < ttl)
+ ttl = sig_ttl;
- if ((key = blockdata_alloc((char*)p, rdlen - 4)))
- {
- if (!(recp1 = cache_insert(name, &a, now, ttl, F_FORWARD | F_DNSKEY | F_DNSSECOK)))
- {
- blockdata_free(key);
- return STAT_BOGUS;
- }
- else
- {
- a.addr.log.keytag = keytag;
- a.addr.log.algo = algo;
- if (algo_digest_name(algo))
- log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DNSKEY keytag %hu, algo %hu");
- else
- log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DNSKEY keytag %hu, algo %hu (not supported)");
-
- recp1->addr.key.keylen = rdlen - 4;
- recp1->addr.key.keydata = key;
- recp1->addr.key.algo = algo;
- recp1->addr.key.keytag = keytag;
- recp1->addr.key.flags = flags;
- }
- }
+ if (!CHECK_LEN(header, p, plen, rdlen))
+ return STAT_BOGUS; /* bad packet */
+
+ psave = p;
+
+ if (qclass == class && rc == 1 && qtype == T_DNSKEY)
+ {
+ if (rdlen < 4)
+ return STAT_BOGUS; /* min 1 byte key! */
+
+ GETSHORT(flags, p);
+ if (*p++ == 3)
+ {
+ algo = *p++;
+ keytag = dnskey_keytag(algo, flags, p, rdlen - 4);
+
+ /* Cache needs to known class for DNSSEC stuff */
+ a.addr.dnssec.class = class;
+
+ if (!(key = blockdata_alloc((char*)p, rdlen - 4)))
+ return STAT_BOGUS;
+
+ if (!(recp1 = cache_insert(name, &a, now, ttl, F_FORWARD | F_DNSKEY | F_DNSSECOK)))
+ {
+ blockdata_free(key);
+ return STAT_BOGUS;
+ }
+
+ a.addr.log.keytag = keytag;
+ a.addr.log.algo = algo;
+ if (algo_digest_name(algo))
+ log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DNSKEY keytag %hu, algo %hu");
+ else
+ log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DNSKEY keytag %hu, algo %hu (not supported)");
+
+ recp1->addr.key.keylen = rdlen - 4;
+ recp1->addr.key.keydata = key;
+ recp1->addr.key.algo = algo;
+ recp1->addr.key.keytag = keytag;
+ recp1->addr.key.flags = flags;
+ }
+ }
+
+ p = psave + rdlen;
}
-
- p = psave;
+
+ /* commit cache insert. */
+ cache_end_insert();
+ return STAT_OK;
}
-
- if (!ADD_RDLEN(header, p, plen, rdlen))
- return STAT_BOGUS; /* bad packet */
}
-
- /* commit cache insert. */
- cache_end_insert();
- return STAT_OK;
}
-
+
log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "BOGUS DNSKEY");
- return STAT_BOGUS;
+ return STAT_BOGUS | failflags;
}
/* The DNS packet is expected to contain the answer to a DS query
- Put all DSs in the answer which are valid into the cache.
+ Put all DSs in the answer which are valid and have hash and signature algos
+ we support into the cache.
Also handles replies which prove that there's no DS at this location,
either because the zone is unsigned or this isn't a zone cut. These are
cached too.
+ If none of the DS's are for supported algos, treat the answer as if
+ it's a proof of no DS at this location. RFC4035 para 5.2.
return codes:
STAT_OK At least one valid DS found and in cache.
STAT_BOGUS no DS in reply or not signed, fails validation, bad packet.
STAT_NEED_KEY DNSKEY records to validate a DS not found, name in keyname
STAT_NEED_DS DS record needed.
+ STAT_ABANDONED resource exhaustion.
*/
-int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class)
+int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char *name,
+ char *keyname, int class, int *validate_counter)
{
unsigned char *p = (unsigned char *)(header+1);
- int qtype, qclass, rc, i, neganswer, nons;
- int aclass, atype, rdlen;
+ int qtype, qclass, rc, i, neganswer = 0, nons = 0, servfail = 0, neg_ttl = 0, found_supported = 0;
+ int aclass, atype, rdlen, flags;
unsigned long ttl;
struct all_addr a;
@@ -901,35 +1079,51 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
GETSHORT(qclass, p);
if (qtype != T_DS || qclass != class)
- rc = STAT_BOGUS;
+ return STAT_BOGUS;
+
+ /* A SERVFAIL answer has been seen to a DS query not at start of authority,
+ so treat it as such and continue to search for a DS or proof of no existence
+ further down the tree. */
+ if (RCODE(header) == SERVFAIL)
+ servfail = neganswer = nons = 1;
else
- rc = dnssec_validate_reply(now, header, plen, name, keyname, NULL, 0, &neganswer, &nons);
+ {
+ rc = dnssec_validate_reply(now, header, plen, name, keyname, NULL, 0, &neganswer, &nons, &neg_ttl, validate_counter);
- if (rc == STAT_INSECURE)
- rc = STAT_BOGUS;
-
- p = (unsigned char *)(header+1);
- extract_name(header, plen, &p, name, 1, 4);
- p += 4; /* qtype, qclass */
+ if (STAT_ISEQUAL(rc, STAT_INSECURE))
+ {
+ my_syslog(LOG_WARNING, _("Insecure DS reply received for %s, check domain configuration and upstream DNS server DNSSEC support"), name);
+ log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "BOGUS DS - not secure");
+ return STAT_BOGUS | DNSSEC_FAIL_INDET;
+ }
+
+ p = (unsigned char *)(header+1);
+ if (!extract_name(header, plen, &p, name, 1, 4))
+ return STAT_BOGUS;
+
+ p += 4; /* qtype, qclass */
+
+ /* If the key needed to validate the DS is on the same domain as the DS, we'll
+ loop getting nowhere. Stop that now. This can happen of the DS answer comes
+ from the DS's zone, and not the parent zone. */
+ if (STAT_ISEQUAL(rc, STAT_NEED_KEY) && hostname_isequal(name, keyname))
+ {
+ log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "BOGUS DS");
+ return STAT_BOGUS;
+ }
- /* If the key needed to validate the DS is on the same domain as the DS, we'll
- loop getting nowhere. Stop that now. This can happen of the DS answer comes
- from the DS's zone, and not the parent zone. */
- if (rc == STAT_BOGUS || (rc == STAT_NEED_KEY && hostname_isequal(name, keyname)))
- {
- log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "BOGUS DS");
- return STAT_BOGUS;
+ if (!STAT_ISEQUAL(rc, STAT_SECURE))
+ return rc;
}
- if (rc != STAT_SECURE)
- return rc;
-
if (!neganswer)
{
cache_start_insert();
for (i = 0; i < ntohs(header->ancount); i++)
{
+ unsigned char *psave;
+
if (!(rc = extract_name(header, plen, &p, name, 0, 10)))
return STAT_BOGUS; /* bad packet */
@@ -940,16 +1134,16 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
if (!CHECK_LEN(header, p, plen, rdlen))
return STAT_BOGUS; /* bad packet */
+
+ psave = p;
if (aclass == class && atype == T_DS && rc == 1)
{
int algo, digest, keytag;
- unsigned char *psave = p;
struct blockdata *key;
- struct crec *crecp;
-
- if (rdlen < 4)
- return STAT_BOGUS; /* bad packet */
+
+ if (rdlen < 5)
+ return STAT_BOGUS; /* min 1 byte digest! */
GETSHORT(keytag, p);
algo = *p++;
@@ -957,9 +1151,19 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
/* Cache needs to known class for DNSSEC stuff */
a.addr.dnssec.class = class;
-
- if ((key = blockdata_alloc((char*)p, rdlen - 4)))
+
+ if (!ds_digest_name(digest) || !algo_digest_name(algo))
+ {
+ a.addr.log.keytag = keytag;
+ a.addr.log.algo = algo;
+ a.addr.log.digest = digest;
+ log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS for keytag %hu, algo %hu, digest %hu (not supported)");
+ neg_ttl = ttl;
+ }
+ else if ((key = blockdata_alloc((char*)p, rdlen - 4)))
{
+ struct crec *crecp;
+
if (!(crecp = cache_insert(name, &a, now, ttl, F_FORWARD | F_DS | F_DNSSECOK)))
{
blockdata_free(key);
@@ -967,39 +1171,36 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
}
else
{
- a.addr.log.keytag = keytag;
+ a.addr.log.keytag = keytag;
a.addr.log.algo = algo;
a.addr.log.digest = digest;
- if (ds_digest_name(digest) && algo_digest_name(algo))
- log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS keytag %hu, algo %hu, digest %hu");
- else
- log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS keytag %hu, algo %hu, digest %hu (not supported)");
-
- crecp->addr.ds.digest = digest;
- crecp->addr.ds.keydata = key;
- crecp->addr.ds.algo = algo;
- crecp->addr.ds.keytag = keytag;
- crecp->addr.ds.keylen = rdlen - 4;
+ log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS for keytag %hu, algo %hu, digest %hu");
+
+ crecp->addr.ds.digest = digest;
+ crecp->addr.ds.keydata = key;
+ crecp->addr.ds.algo = algo;
+ crecp->addr.ds.keytag = keytag;
+ crecp->addr.ds.keylen = rdlen - 4;
+
+ found_supported = 1;
}
}
-
- p = psave;
}
- if (!ADD_RDLEN(header, p, plen, rdlen))
- return STAT_BOGUS; /* bad packet */
+
+ p = psave + rdlen;
}
cache_end_insert();
+ /* Fall through if no supported algo DS found. */
+ if (found_supported)
+ return STAT_OK;
}
- else
+
+ flags = F_FORWARD | F_DS | F_NEG | F_DNSSECOK;
+
+ if (neganswer)
{
- int flags = F_FORWARD | F_DS | F_NEG | F_DNSSECOK;
- unsigned long minttl = ULONG_MAX;
-
- if (!(p = skip_section(p, ntohs(header->ancount), header, plen)))
- return STAT_BOGUS;
-
if (RCODE(header) == NXDOMAIN)
flags |= F_NXDOMAIN;
@@ -1007,57 +1208,21 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
to store presence/absence of NS. */
if (nons)
flags &= ~F_DNSSECOK;
-
- for (i = ntohs(header->nscount); i != 0; i--)
- {
- if (!(p = skip_name(p, header, plen, 0)))
- return STAT_BOGUS;
-
- GETSHORT(atype, p);
- GETSHORT(aclass, p);
- GETLONG(ttl, p);
- GETSHORT(rdlen, p);
-
- if (!CHECK_LEN(header, p, plen, rdlen))
- return STAT_BOGUS; /* bad packet */
-
- if (aclass != class || atype != T_SOA)
- {
- p += rdlen;
- continue;
- }
-
- if (ttl < minttl)
- minttl = ttl;
-
- /* MNAME */
- if (!(p = skip_name(p, header, plen, 0)))
- return STAT_BOGUS;
- /* RNAME */
- if (!(p = skip_name(p, header, plen, 20)))
- return STAT_BOGUS;
- p += 16; /* SERIAL REFRESH RETRY EXPIRE */
-
- GETLONG(ttl, p); /* minTTL */
- if (ttl < minttl)
- minttl = ttl;
-
- break;
- }
-
- if (i != 0)
- {
- cache_start_insert();
-
- a.addr.dnssec.class = class;
- if (!cache_insert(name, &a, now, ttl, flags))
- return STAT_BOGUS;
-
- cache_end_insert();
-
- log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "no DS");
- }
}
+
+ cache_start_insert();
+
+ a.addr.dnssec.class = class;
+
+ /* Use TTL from NSEC for negative cache entries */
+ if (!cache_insert(name, NULL, now, neg_ttl, flags))
+ return STAT_BOGUS;
+
+ cache_end_insert();
+
+ if (neganswer)
+ log_query(F_NOEXTRA | F_UPSTREAM, name, NULL,
+ servfail ? "SERVFAIL" : (nons ? "no DS/cut" : "no DS"));
return STAT_OK;
}
@@ -1127,6 +1292,7 @@ static int hostname_cmp(const char *a, const char *b)
}
}
+/* returns 0 on success, or DNSSEC_FAIL_* value on failure. */
static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsigned char **nsecs, unsigned char **labels, int nsec_count,
char *workspace1_in, char *workspace2, char *name, int type, int *nons)
{
@@ -1146,12 +1312,12 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi
p = nsecs[i];
if (!extract_name(header, plen, &p, workspace1, 1, 10))
- return 0;
+ return DNSSEC_FAIL_BADPACKET;
p += 8; /* class, type, TTL */
GETSHORT(rdlen, p);
psave = p;
- if (!extract_name(header, plen, &p, workspace2, 1, 10))
- return 0;
+ if (!extract_name(header, plen, &p, workspace2, 1, 0))
+ return DNSSEC_FAIL_BADPACKET;
/* If NSEC comes from wildcard expansion, use original wildcard
as name for computation. */
@@ -1179,12 +1345,13 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi
{
/* 4035 para 5.4. Last sentence */
if (type == T_NSEC || type == T_RRSIG)
- return 1;
+ return 0;
/* NSEC with the same name as the RR we're testing, check
that the type in question doesn't appear in the type map */
rdlen -= p - psave;
- /* rdlen is now length of type map, and p points to it */
+ /* rdlen is now length of type map, and p points to it
+ packet checked to be as long as rdlen implies in prove_non_existence() */
/* If we can prove that there's no NS record, return that information. */
if (nons && rdlen >= 2 && p[0] == 0 && (p[2] & (0x80 >> T_NS)) != 0)
@@ -1195,25 +1362,25 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi
/* A CNAME answer would also be valid, so if there's a CNAME is should
have been returned. */
if ((p[2] & (0x80 >> T_CNAME)) != 0)
- return 0;
+ return DNSSEC_FAIL_NONSEC;
/* If the SOA bit is set for a DS record, then we have the
DS from the wrong side of the delegation. For the root DS,
this is expected. */
if (name_labels != 0 && type == T_DS && (p[2] & (0x80 >> T_SOA)) != 0)
- return 0;
+ return DNSSEC_FAIL_NONSEC;
}
while (rdlen >= 2)
{
if (!CHECK_LEN(header, p, plen, rdlen))
- return 0;
+ return DNSSEC_FAIL_BADPACKET;
if (p[0] == type >> 8)
{
/* Does the NSEC say our type exists? */
if (offset < p[1] && (p[offset+2] & mask) != 0)
- return 0;
+ return DNSSEC_FAIL_NONSEC;
break; /* finished checking */
}
@@ -1222,24 +1389,24 @@ static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsi
p += p[1];
}
- return 1;
+ return 0;
}
else if (rc == -1)
{
/* Normal case, name falls between NSEC name and next domain name,
wrap around case, name falls between NSEC name (rc == -1) and end */
if (hostname_cmp(workspace2, name) >= 0 || hostname_cmp(workspace1, workspace2) >= 0)
- return 1;
+ return 0;
}
else
{
/* wrap around case, name falls between start and next domain name */
if (hostname_cmp(workspace1, workspace2) >= 0 && hostname_cmp(workspace2, name) >=0 )
- return 1;
+ return 0;
}
}
- return 0;
+ return DNSSEC_FAIL_NONSEC;
}
/* return digest length, or zero on error */
@@ -1313,23 +1480,23 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige
for (i = 0; i < nsec_count; i++)
if ((p = nsecs[i]))
{
- if (!extract_name(header, plen, &p, workspace1, 1, 0) ||
+ if (!extract_name(header, plen, &p, workspace1, 1, 10) ||
!(base32_len = base32_decode(workspace1, (unsigned char *)workspace2)))
return 0;
p += 8; /* class, type, TTL */
GETSHORT(rdlen, p);
+
psave = p;
+
+ /* packet checked to be as long as implied by rdlen, salt_len and hash_len in prove_non_existence() */
p++; /* algo */
flags = *p++; /* flags */
p += 2; /* iterations */
salt_len = *p++; /* salt_len */
p += salt_len; /* salt */
hash_len = *p++; /* p now points to next hashed name */
-
- if (!CHECK_LEN(header, p, plen, hash_len))
- return 0;
-
+
if (digest_len == base32_len && hash_len == base32_len)
{
int rc = memcmp(workspace2, digest, digest_len);
@@ -1337,7 +1504,8 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige
if (rc == 0)
{
/* We found an NSEC3 whose hashed name exactly matches the query, so
- we just need to check the type map. p points to the RR data for the record. */
+ we just need to check the type map. p points to the RR data for the record.
+ Note we have packet length up to rdlen bytes checked. */
int offset = (type & 0xff) >> 3;
int mask = 0x80 >> (type & 0x07);
@@ -1345,15 +1513,12 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige
p += hash_len; /* skip next-domain hash */
rdlen -= p - psave;
- if (!CHECK_LEN(header, p, plen, rdlen))
- return 0;
-
if (rdlen >= 2 && p[0] == 0)
{
/* If we can prove that there's no NS record, return that information. */
if (nons && (p[2] & (0x80 >> T_NS)) != 0)
*nons = 0;
-
+
/* A CNAME answer would also be valid, so if there's a CNAME is should
have been returned. */
if ((p[2] & (0x80 >> T_CNAME)) != 0)
@@ -1412,8 +1577,9 @@ static int check_nsec3_coverage(struct dns_header *header, size_t plen, int dige
return 0;
}
-static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, unsigned char **nsecs, int nsec_count,
- char *workspace1, char *workspace2, char *name, int type, char *wildname, int *nons)
+/* returns 0 on success, or DNSSEC_FAIL_* value on failure. */
+static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, unsigned char **nsecs, int nsec_count, char *workspace1,
+ char *workspace2, char *name, int type, char *wildname, int *nons, int *validate_counter)
{
unsigned char *salt, *p, *digest;
int digest_len, i, iterations, salt_len, base32_len, algo = 0;
@@ -1433,7 +1599,7 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns
for (i = 0; i < nsec_count; i++)
{
if (!(p = skip_name(nsecs[i], header, plen, 15)))
- return 0; /* bad packet */
+ return DNSSEC_FAIL_BADPACKET; /* bad packet */
p += 10; /* type, class, TTL, rdlen */
algo = *p++;
@@ -1444,23 +1610,18 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns
/* No usable NSEC3s */
if (i == nsec_count)
- return 0;
+ return DNSSEC_FAIL_NONSEC;
p++; /* flags */
GETSHORT (iterations, p);
- /* Upper-bound iterations, to avoid DoS.
- Strictly, there are lower bounds for small keys, but
- since we don't have key size info here, at least limit
- to the largest bound, for 4096-bit keys. RFC 5155 10.3 */
- if (iterations > 2500)
- return 0;
+ /* Upper-bound iterations, to avoid DoS. RFC 9276 refers. */
+ if (iterations > daemon->limit[LIMIT_NSEC3_ITERS])
+ return DNSSEC_FAIL_NSEC3_ITERS;
salt_len = *p++;
salt = p;
- if (!CHECK_LEN(header, salt, plen, salt_len))
- return 0; /* bad packet */
-
+
/* Now prune so we only have NSEC3 records with same iterations, salt and algo */
for (i = 0; i < nsec_count; i++)
{
@@ -1470,7 +1631,7 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns
nsecs[i] = NULL; /* Speculative, will be restored if OK. */
if (!(p = skip_name(nsec3p, header, plen, 15)))
- return 0; /* bad packet */
+ return DNSSEC_FAIL_BADPACKET; /* bad packet */
p += 10; /* type, class, TTL, rdlen */
@@ -1490,9 +1651,6 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns
if (salt_len != *p++)
continue;
- if (!CHECK_LEN(header, p, plen, salt_len))
- return 0; /* bad packet */
-
if (memcmp(p, salt, salt_len) != 0)
continue;
@@ -1500,11 +1658,14 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns
nsecs[i] = nsec3p;
}
+ if (dec_counter(validate_counter, NULL))
+ return DNSSEC_FAIL_WORK;
+
if ((digest_len = hash_name(name, &digest, hash, salt, salt_len, iterations)) == 0)
- return 0;
+ return DNSSEC_FAIL_NONSEC;
if (check_nsec3_coverage(header, plen, digest_len, digest, type, workspace1, workspace2, nsecs, nsec_count, nons, count_labels(name)))
- return 1;
+ return 0;
/* Can't find an NSEC3 which covers the name directly, we need the "closest encloser NSEC3"
or an answer inferred from a wildcard record. */
@@ -1519,15 +1680,20 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns
if (wildname && hostname_isequal(closest_encloser, wildname))
break;
+ if (dec_counter(validate_counter, NULL))
+ return DNSSEC_FAIL_WORK;
+
if ((digest_len = hash_name(closest_encloser, &digest, hash, salt, salt_len, iterations)) == 0)
- return 0;
+ return DNSSEC_FAIL_NONSEC;
for (i = 0; i < nsec_count; i++)
if ((p = nsecs[i]))
{
- if (!extract_name(header, plen, &p, workspace1, 1, 0) ||
- !(base32_len = base32_decode(workspace1, (unsigned char *)workspace2)))
- return 0;
+ if (!extract_name(header, plen, &p, workspace1, 1, 0))
+ return DNSSEC_FAIL_BADPACKET;
+
+ if (!(base32_len = base32_decode(workspace1, (unsigned char *)workspace2)))
+ return DNSSEC_FAIL_NONSEC;
if (digest_len == base32_len &&
memcmp(digest, workspace2, digest_len) == 0)
@@ -1542,35 +1708,43 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns
while ((closest_encloser = strchr(closest_encloser, '.')));
if (!closest_encloser || !next_closest)
- return 0;
+ return DNSSEC_FAIL_NONSEC;
/* Look for NSEC3 that proves the non-existence of the next-closest encloser */
+ if (dec_counter(validate_counter, NULL))
+ return DNSSEC_FAIL_WORK;
+
if ((digest_len = hash_name(next_closest, &digest, hash, salt, salt_len, iterations)) == 0)
- return 0;
+ return DNSSEC_FAIL_NONSEC;
if (!check_nsec3_coverage(header, plen, digest_len, digest, type, workspace1, workspace2, nsecs, nsec_count, NULL, 1))
- return 0;
+ return DNSSEC_FAIL_NONSEC;
/* Finally, check that there's no seat of wildcard synthesis */
if (!wildname)
{
if (!(wildcard = strchr(next_closest, '.')) || wildcard == next_closest)
- return 0;
+ return DNSSEC_FAIL_NONSEC;
wildcard--;
*wildcard = '*';
+ if (dec_counter(validate_counter, NULL))
+ return DNSSEC_FAIL_WORK;
+
if ((digest_len = hash_name(wildcard, &digest, hash, salt, salt_len, iterations)) == 0)
- return 0;
+ return DNSSEC_FAIL_NONSEC;
if (!check_nsec3_coverage(header, plen, digest_len, digest, type, workspace1, workspace2, nsecs, nsec_count, NULL, 1))
- return 0;
+ return DNSSEC_FAIL_NONSEC;
}
- return 1;
+ return 0;
}
-static int prove_non_existence(struct dns_header *header, size_t plen, char *keyname, char *name, int qtype, int qclass, char *wildname, int *nons)
+/* returns 0 on success, or DNSSEC_FAIL_* value on failure. */
+static int prove_non_existence(struct dns_header *header, size_t plen, char *keyname, char *name, int qtype, int qclass,
+ char *wildname, int *nons, int *nsec_ttl, int *validate_counter)
{
static unsigned char **nsecset = NULL, **rrsig_labels = NULL;
static int nsecset_sz = 0, rrsig_labels_sz = 0;
@@ -1578,35 +1752,47 @@ static int prove_non_existence(struct dns_header *header, size_t plen, char *key
int type_found = 0;
unsigned char *auth_start, *p = skip_questions(header, plen);
int type, class, rdlen, i, nsecs_found;
+ unsigned long ttl;
/* Move to NS section */
if (!p || !(p = skip_section(p, ntohs(header->ancount), header, plen)))
- return 0;
+ return DNSSEC_FAIL_BADPACKET;
auth_start = p;
- for (nsecs_found = 0, i = ntohs(header->nscount); i != 0; i--)
+ for (nsecs_found = 0, i = 0; i < ntohs(header->nscount); i++)
{
unsigned char *pstart = p;
if (!extract_name(header, plen, &p, daemon->workspacename, 1, 10))
- return 0;
+ return DNSSEC_FAIL_BADPACKET;
GETSHORT(type, p);
GETSHORT(class, p);
- p += 4; /* TTL */
+ GETLONG(ttl, p);
GETSHORT(rdlen, p);
-
+
+ if (!CHECK_LEN(header, p, plen, rdlen))
+ return DNSSEC_FAIL_BADPACKET;
+
if (class == qclass && (type == T_NSEC || type == T_NSEC3))
{
+ if (nsec_ttl)
+ {
+ /* Limit TTL with sig TTL */
+ if (daemon->rr_status[ntohs(header->ancount) + i] < ttl)
+ ttl = daemon->rr_status[ntohs(header->ancount) + i];
+ *nsec_ttl = ttl;
+ }
+
/* No mixed NSECing 'round here, thankyouverymuch */
if (type_found != 0 && type_found != type)
- return 0;
+ return DNSSEC_FAIL_NONSEC;
type_found = type;
if (!expand_workspace(&nsecset, &nsecset_sz, nsecs_found))
- return 0;
+ return DNSSEC_FAIL_BADPACKET;
if (type == T_NSEC)
{
@@ -1621,30 +1807,33 @@ static int prove_non_existence(struct dns_header *header, size_t plen, char *key
int res, j, rdlen1, type1, class1;
if (!expand_workspace(&rrsig_labels, &rrsig_labels_sz, nsecs_found))
- return 0;
+ return DNSSEC_FAIL_BADPACKET;
rrsig_labels[nsecs_found] = NULL;
for (j = ntohs(header->nscount); j != 0; j--)
{
- if (!(res = extract_name(header, plen, &p1, daemon->workspacename, 0, 10)))
- return 0;
+ unsigned char *psav;
+ if (!(res = extract_name(header, plen, &p1, daemon->workspacename, 0, 10)))
+ return DNSSEC_FAIL_BADPACKET;
+
GETSHORT(type1, p1);
GETSHORT(class1, p1);
p1 += 4; /* TTL */
GETSHORT(rdlen1, p1);
+ psav = p1;
+
if (!CHECK_LEN(header, p1, plen, rdlen1))
- return 0;
+ return DNSSEC_FAIL_BADPACKET;
if (res == 1 && class1 == qclass && type1 == T_RRSIG)
{
int type_covered;
- unsigned char *psav = p1;
-
+
if (rdlen1 < 18)
- return 0; /* bad packet */
+ return DNSSEC_FAIL_BADPACKET; /* bad packet */
GETSHORT(type_covered, p1);
@@ -1656,33 +1845,56 @@ static int prove_non_existence(struct dns_header *header, size_t plen, char *key
if (!rrsig_labels[nsecs_found])
rrsig_labels[nsecs_found] = p1;
else if (*rrsig_labels[nsecs_found] != *p1) /* algo */
- return 0;
- }
- p1 = psav;
+ return DNSSEC_FAIL_NONSEC;
+ }
}
- if (!ADD_RDLEN(header, p1, plen, rdlen1))
- return 0;
+ p1 = psav + rdlen1;
}
/* Must have found at least one sig. */
if (!rrsig_labels[nsecs_found])
- return 0;
+ return DNSSEC_FAIL_NONSEC;
+ }
+ else if (type == T_NSEC3)
+ {
+ /* Decode the packet structure enough to check that rdlen is big enough
+ to contain everything other than the type bitmap.
+ (packet checked to be long enough to contain rdlen above)
+ We don't need to do any further length checks in check_nes3_coverage()
+ or prove_non_existence_nsec3() */
+
+ int salt_len, hash_len;
+ unsigned char *psav = p;
+
+ if (rdlen < 5)
+ return DNSSEC_FAIL_BADPACKET;
+
+ p += 4; /* algo, flags, iterations */
+ salt_len = *p++; /* salt_len */
+ if (rdlen < (6 + salt_len))
+ return DNSSEC_FAIL_BADPACKET; /* check up to hash_length */
+
+ p += salt_len; /* salt */
+ hash_len = *p++;
+ if (rdlen < (6 + salt_len + hash_len))
+ return DNSSEC_FAIL_BADPACKET; /* check to end of next hashed name */
+
+ p = psav;
}
nsecset[nsecs_found++] = pstart;
}
- if (!ADD_RDLEN(header, p, plen, rdlen))
- return 0;
+ p += rdlen;
}
if (type_found == T_NSEC)
return prove_non_existence_nsec(header, plen, nsecset, rrsig_labels, nsecs_found, daemon->workspacename, keyname, name, qtype, nons);
else if (type_found == T_NSEC3)
- return prove_non_existence_nsec3(header, plen, nsecset, nsecs_found, daemon->workspacename, keyname, name, qtype, wildname, nons);
+ return prove_non_existence_nsec3(header, plen, nsecset, nsecs_found, daemon->workspacename, keyname, name, qtype, wildname, nons, validate_counter);
else
- return 0;
+ return DNSSEC_FAIL_NONSEC;
}
/* Check signing status of name.
@@ -1777,35 +1989,40 @@ static int zone_status(char *name, int class, char *keyname, time_t now)
STAT_BOGUS signature is wrong, bad packet, no validation where there should be.
STAT_NEED_KEY need DNSKEY to complete validation (name is returned in keyname, class in *class)
STAT_NEED_DS need DS to complete validation (name is returned in keyname)
+ STAT_ABANDONED resource exhaustion.
daemon->rr_status points to a char array which corressponds to the RRs in the
- answer section (only). This is set to 1 for each RR which is validated, and 0 for any which aren't.
+ answer and auth sections. This is set to >1 for each RR which is validated, and 0 for any which aren't.
+
+ When validating replies to DS records, we're only interested in the NSEC{3} RRs in the auth section.
+ Other RRs in that section missing sigs will not cause am INSECURE reply. We determine this mode
+ if the nons argument is non-NULL.
*/
int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname,
- int *class, int check_unsigned, int *neganswer, int *nons)
+ int *class, int check_unsigned, int *neganswer, int *nons, int *nsec_ttl, int *validate_counter)
{
static unsigned char **targets = NULL;
static int target_sz = 0;
unsigned char *ans_start, *p1, *p2;
int type1, class1, rdlen1 = 0, type2, class2, rdlen2, qclass, qtype, targetidx;
- int i, j, rc;
+ int i, j, rc = STAT_INSECURE;
int secure = STAT_SECURE;
-
+ int rc_nsec;
/* extend rr_status if necessary */
- if (daemon->rr_status_sz < ntohs(header->ancount))
+ if (daemon->rr_status_sz < ntohs(header->ancount) + ntohs(header->nscount))
{
- char *new = whine_malloc(ntohs(header->ancount) + 64);
+ unsigned long *new = whine_malloc(sizeof(*daemon->rr_status) * (ntohs(header->ancount) + ntohs(header->nscount) + 64));
if (!new)
return STAT_BOGUS;
free(daemon->rr_status);
- daemon->rr_status = new;
- daemon->rr_status_sz = ntohs(header->ancount) + 64;
+ daemon->rr_status = (char *)new;
+ daemon->rr_status_sz = ntohs(header->ancount) + ntohs(header->nscount) + 64;
}
- memset(daemon->rr_status, 0, ntohs(header->ancount));
+ memset(daemon->rr_status, 0, sizeof(*daemon->rr_status) * daemon->rr_status_sz);
if (neganswer)
*neganswer = 0;
@@ -1820,7 +2037,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
/* Find all the targets we're looking for answers to.
The zeroth array element is for the query, subsequent ones
- for CNAME targets, unless the query is for a CNAME. */
+ for CNAME targets, unless the query is for a CNAME or ANY. */
if (!expand_workspace(&targets, &target_sz, 0))
return STAT_BOGUS;
@@ -1839,7 +2056,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
if (qtype == T_RRSIG)
return STAT_INSECURE;
- if (qtype != T_CNAME)
+ if (qtype != T_CNAME && qtype != T_ANY)
for (j = ntohs(header->ancount); j != 0; j--)
{
if (!(p1 = skip_name(p1, header, plen, 10)))
@@ -1863,10 +2080,10 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
for (p1 = ans_start, i = 0; i < ntohs(header->ancount) + ntohs(header->nscount); i++)
{
- if (i != 0 && !ADD_RDLEN(header, p1, plen, rdlen1))
- return STAT_BOGUS;
-
- if (!extract_name(header, plen, &p1, name, 1, 10))
+ if (i != 0 && !ADD_RDLEN(header, p1, plen, rdlen1))
+ return STAT_BOGUS;
+
+ if (!extract_name(header, plen, &p1, name, 1, 10))
return STAT_BOGUS; /* bad packet */
GETSHORT(type1, p1);
@@ -1896,12 +2113,9 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
return STAT_BOGUS;
}
+ /* Done already: copy the validation status */
if (j != i)
- {
- /* Done already: copy the validation status */
- if (i < ntohs(header->ancount))
- daemon->rr_status[i] = daemon->rr_status[j];
- }
+ daemon->rr_status[i] = daemon->rr_status[j];
else
{
/* Not done, validate now */
@@ -1914,19 +2128,32 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
/* No signatures for RRset. We can be configured to assume this is OK and return an INSECURE result. */
if (sigcnt == 0)
{
- if (check_unsigned)
+ /* NSEC and NSEC3 records must be signed. We make this assumption elsewhere. */
+ if (type1 == T_NSEC || type1 == T_NSEC3)
+ return STAT_BOGUS | DNSSEC_FAIL_NOSIG;
+ else if (nons && i >= ntohs(header->ancount))
+ /* If we're validating a DS reply, rather than looking for the value of AD bit,
+ we only care that NSEC and NSEC3 RRs in the auth section are signed.
+ Return SECURE even if others (SOA....) are not. */
+ rc = STAT_SECURE;
+ else
{
- rc = zone_status(name, class1, keyname, now);
- if (rc == STAT_SECURE)
- rc = STAT_BOGUS;
- if (class)
- *class = class1; /* Class for NEED_DS or NEED_KEY */
+ /* unsigned RRsets in auth section are not BOGUS, but do make reply insecure. */
+ if (check_unsigned && i < ntohs(header->ancount))
+ {
+ rc = zone_status(name, class1, keyname, now);
+ if (STAT_ISEQUAL(rc, STAT_SECURE))
+ rc = STAT_BOGUS | DNSSEC_FAIL_NOSIG;
+
+ if (class)
+ *class = class1; /* Class for NEED_DS or NEED_KEY */
+ }
+ else
+ rc = STAT_INSECURE;
+
+ if (!STAT_ISEQUAL(rc, STAT_INSECURE))
+ return rc;
}
- else
- rc = STAT_INSECURE;
-
- if (rc != STAT_INSECURE)
- return rc;
}
else
{
@@ -1935,21 +2162,21 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
strcpy(daemon->workspacename, keyname);
rc = zone_status(daemon->workspacename, class1, keyname, now);
- if (rc == STAT_BOGUS || rc == STAT_NEED_KEY || rc == STAT_NEED_DS)
+ if (STAT_ISEQUAL(rc, STAT_BOGUS) || STAT_ISEQUAL(rc, STAT_NEED_KEY) || STAT_ISEQUAL(rc, STAT_NEED_DS))
{
- /* Zone is insecure, don't need to validate RRset */
if (class)
*class = class1; /* Class for NEED_DS or NEED_KEY */
return rc;
}
/* Zone is insecure, don't need to validate RRset */
- if (rc == STAT_SECURE)
+ if (STAT_ISEQUAL(rc, STAT_SECURE))
{
+ unsigned long sig_ttl;
rc = validate_rrset(now, header, plen, class1, type1, sigcnt,
- rrcnt, name, keyname, &wildname, NULL, 0, 0, 0);
+ rrcnt, name, keyname, &wildname, NULL, 0, 0, 0, &sig_ttl, validate_counter);
- if (rc == STAT_BOGUS || rc == STAT_NEED_KEY || rc == STAT_NEED_DS)
+ if (STAT_ISEQUAL(rc, STAT_BOGUS) || STAT_ISEQUAL(rc, STAT_NEED_KEY) || STAT_ISEQUAL(rc, STAT_NEED_DS) || STAT_ISEQUAL(rc, STAT_ABANDONED))
{
if (class)
*class = class1; /* Class for DS or DNSKEY */
@@ -1959,8 +2186,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
/* rc is now STAT_SECURE or STAT_SECURE_WILDCARD */
/* Note that RR is validated */
- if (i < ntohs(header->ancount))
- daemon->rr_status[i] = 1;
+ daemon->rr_status[i] = sig_ttl;
/* Note if we've validated either the answer to the question
or the target of a CNAME. Any not noted will need NSEC or
@@ -1983,16 +2209,16 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
Note that we may not yet have validated the NSEC/NSEC3 RRsets.
That's not a problem since if the RRsets later fail
we'll return BOGUS then. */
- if (rc == STAT_SECURE_WILDCARD &&
- !prove_non_existence(header, plen, keyname, name, type1, class1, wildname, NULL))
- return STAT_BOGUS;
+ if (STAT_ISEQUAL(rc, STAT_SECURE_WILDCARD) &&
+ ((rc_nsec = prove_non_existence(header, plen, keyname, name, type1, class1, wildname, NULL, NULL, validate_counter))) != 0)
+ return (rc_nsec & DNSSEC_FAIL_WORK) ? STAT_ABANDONED : (STAT_BOGUS | rc_nsec);
rc = STAT_SECURE;
}
}
}
- if (rc == STAT_INSECURE)
+ if (STAT_ISEQUAL(rc, STAT_INSECURE))
secure = STAT_INSECURE;
}
@@ -2002,28 +2228,32 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
{
if (neganswer)
*neganswer = 1;
-
+
if (!extract_name(header, plen, &p2, name, 1, 10))
return STAT_BOGUS; /* bad packet */
-
+
/* NXDOMAIN or NODATA reply, unanswered question is (name, qclass, qtype) */
-
+
/* For anything other than a DS record, this situation is OK if either
the answer is in an unsigned zone, or there's a NSEC records. */
- if (!prove_non_existence(header, plen, keyname, name, qtype, qclass, NULL, nons))
+ if ((rc_nsec = prove_non_existence(header, plen, keyname, name, qtype, qclass, NULL, nons, nsec_ttl, validate_counter)) != 0)
{
+ if (rc_nsec & DNSSEC_FAIL_WORK)
+ return STAT_ABANDONED;
+
/* Empty DS without NSECS */
if (qtype == T_DS)
- return STAT_BOGUS;
+ return STAT_BOGUS | rc_nsec;
- if ((rc = zone_status(name, qclass, keyname, now)) != STAT_SECURE)
+ if ((rc_nsec & (DNSSEC_FAIL_NONSEC | DNSSEC_FAIL_NSEC3_ITERS)) &&
+ !STAT_ISEQUAL((rc = zone_status(name, qclass, keyname, now)), STAT_SECURE))
{
if (class)
*class = qclass; /* Class for NEED_DS or NEED_KEY */
return rc;
}
- return STAT_BOGUS; /* signed zone, no NSECs */
+ return STAT_BOGUS | rc_nsec; /* signed zone, no NSECs */
}
}
diff --git a/src/forward.c b/src/forward.c
index 989fb61..64124b1 100644
--- a/src/forward.c
+++ b/src/forward.c
@@ -406,7 +406,8 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
if (ad_reqd)
forward->flags |= FREC_AD_QUESTION;
#ifdef HAVE_DNSSEC
- forward->work_counter = DNSSEC_WORK;
+ forward->work_counter = daemon->limit[LIMIT_WORK];
+ forward->validate_counter = daemon->limit[LIMIT_CRYPTO];
if (do_bit)
forward->flags |= FREC_DO_QUESTION;
#endif
@@ -770,6 +771,7 @@ void reply_query(int fd, time_t now)
struct server *server;
void *hash;
struct server_domain *sd;
+ size_t plen;
/* packet buffer overwritten */
daemon->srv_save = NULL;
@@ -820,7 +822,6 @@ void reply_query(int fd, time_t now)
/* for broken servers, attempt to send to another one. */
{
unsigned char *pheader;
- size_t plen;
int is_sign;
/* In strict order mode, there must be a server later in the chain
@@ -926,29 +927,38 @@ void reply_query(int fd, time_t now)
*/
if (header->hb3 & HB3_TC)
status = STAT_TRUNCATED;
+ struct frec *orig;
+ int log_resource = 0;
while (1)
{
/* As soon as anything returns BOGUS, we stop and unwind, to do otherwise
would invite infinite loops, since the answers to DNSKEY and DS queries
will not be cached, so they'll be repeated. */
+ /* Find the original query that started it all.... */
+ for (orig = forward; orig->dependent; orig = orig->dependent);
+
if (status != STAT_BOGUS && status != STAT_TRUNCATED && status != STAT_ABANDONED)
{
if (forward->flags & FREC_DNSKEY_QUERY)
- status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
+ status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class, &orig->validate_counter);
else if (forward->flags & FREC_DS_QUERY)
- status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
+ status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class, &orig->validate_counter);
else
status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class,
option_bool(OPT_DNSSEC_NO_SIGN) && (server->flags & SERV_DO_DNSSEC),
- NULL, NULL);
+ NULL, NULL, NULL, &orig->validate_counter);
}
+ status = status & 0xffff0000;
+
+ if (status == STAT_ABANDONED)
+ log_resource = 1;
/* Can't validate, as we're missing key data. Put this
answer aside, whilst we get that. */
if (status == STAT_NEED_DS || status == STAT_NEED_KEY)
{
- struct frec *new, *orig;
+ struct frec *new;
/* Free any saved query */
if (forward->stash)
@@ -959,11 +969,11 @@ void reply_query(int fd, time_t now)
return;
forward->stash_len = n;
- /* Find the original query that started it all.... */
- for (orig = forward; orig->dependent; orig = orig->dependent);
-
- if (--orig->work_counter == 0 || !(new = get_new_frec(now, NULL, 1)))
+ if (--orig->work_counter == 0 || !(new = get_new_frec(now, NULL, 1))) {
status = STAT_ABANDONED;
+ my_syslog(LOG_WARNING, _("limit exceeded: per-query subqueries"));
+ log_resource = 1;
+ }
else
{
int fd, type = SERV_DO_DNSSEC;
@@ -1056,7 +1066,15 @@ void reply_query(int fd, time_t now)
}
return;
}
-
+ if (log_resource)
+ {
+ /* Log the actual validation that made us barf. */
+ unsigned char *p = (unsigned char *)(header+1);
+ if (extract_name(header, plen, &p, daemon->namebuff, 0, 4) == 1)
+ my_syslog(LOG_WARNING, _("validation of %s failed: resource limit exceeded."),
+ daemon->namebuff[0] ? daemon->namebuff : ".");
+ }
+
/* Validated original answer, all done. */
if (!forward->dependent)
break;
@@ -1499,7 +1517,7 @@ void receive_query(struct listener *listen, time_t now)
/* Recurse up the key hierarchy */
static int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n,
int class, char *name, char *keyname, struct server *server,
- int have_mark, unsigned int mark, int *keycount)
+ int have_mark, unsigned int mark, int *keycount, int *validatecount)
{
int new_status;
unsigned char *packet = NULL;
@@ -1516,20 +1534,35 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
struct server *firstsendto = NULL;
/* limit the amount of work we do, to avoid cycling forever on loops in the DNS */
- if (--(*keycount) == 0)
- new_status = STAT_ABANDONED;
- else if (status == STAT_NEED_KEY)
- new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class);
+ if (status == STAT_NEED_KEY)
+ new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class, validatecount);
else if (status == STAT_NEED_DS)
- new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
+ new_status = dnssec_validate_ds(now, header, n, name, keyname, class, validatecount);
else
new_status = dnssec_validate_reply(now, header, n, name, keyname, &class,
- option_bool(OPT_DNSSEC_NO_SIGN) && (server->flags & SERV_DO_DNSSEC),
- NULL, NULL);
-
- if (new_status != STAT_NEED_DS && new_status != STAT_NEED_KEY)
+ !option_bool(OPT_DNSSEC_NO_SIGN) && (server->flags & SERV_DO_DNSSEC),
+ NULL, NULL, NULL, validatecount);
+ new_status = new_status & 0xffff0000;
+
+ if (new_status != STAT_NEED_DS && new_status != STAT_NEED_KEY && new_status != STAT_ABANDONED)
break;
+ if ((*keycount)-- == 0)
+ {
+ my_syslog(LOG_WARNING, _("limit exceeded: per-query subqueries"));
+ new_status = STAT_ABANDONED;
+ }
+
+ if (new_status == STAT_ABANDONED)
+ {
+ /* Log the actual validation that made us barf. */
+ unsigned char *p = (unsigned char *)(header+1);
+ if (extract_name(header, n, &p, daemon->namebuff, 0, 4) == 1)
+ my_syslog(LOG_WARNING, _("validation of %s failed: resource limit exceeded."),
+ daemon->namebuff[0] ? daemon->namebuff : ".");
+ break;
+ }
+
/* Can't validate because we need a key/DS whose name now in keyname.
Make query for same, and recurse to validate */
if (!packet)
@@ -1624,7 +1657,7 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
server->flags |= SERV_GOT_TCP;
m = (c1 << 8) | c2;
- new_status = tcp_key_recurse(now, new_status, new_header, m, class, name, keyname, server, have_mark, mark, keycount);
+ new_status = tcp_key_recurse(now, new_status, new_header, m, class, name, keyname, server, have_mark, mark, keycount, validatecount);
break;
}
@@ -1947,9 +1980,10 @@ unsigned char *tcp_request(int confd, time_t now,
#ifdef HAVE_DNSSEC
if (option_bool(OPT_DNSSEC_VALID) && !checking_disabled && (last_server->flags & SERV_DO_DNSSEC))
{
- int keycount = DNSSEC_WORK; /* Limit to number of DNSSEC questions, to catch loops and avoid filling cache. */
+ int keycount = daemon->limit[LIMIT_WORK]; /* Limit to number of DNSSEC questions, to catch loops and avoid filling cache. */
+ int validatecount = daemon->limit[LIMIT_CRYPTO];
int status = tcp_key_recurse(now, STAT_OK, header, m, 0, daemon->namebuff, daemon->keyname,
- last_server, have_mark, mark, &keycount);
+ last_server, have_mark, mark, &keycount, &validatecount);
char *result, *domain = "result";
if (status == STAT_ABANDONED)
diff --git a/src/option.c b/src/option.c
index 4e54afb..944a482 100644
--- a/src/option.c
+++ b/src/option.c
@@ -160,6 +160,7 @@ struct myoption {
#define LOPT_DHCPTTL 348
#define LOPT_TFTP_MTU 349
#define LOPT_REPLY_DELAY 350
+#define LOPT_DNSSEC_LIMITS 351
#ifdef HAVE_GETOPT_LONG
static const struct option opts[] =
@@ -313,6 +314,7 @@ static const struct myoption opts[] =
{ "dnssec-check-unsigned", 0, 0, LOPT_DNSSEC_CHECK },
{ "dnssec-no-timecheck", 0, 0, LOPT_DNSSEC_TIME },
{ "dnssec-timestamp", 1, 0, LOPT_DNSSEC_STAMP },
+ { "dnssec-limits", 1, 0, LOPT_DNSSEC_LIMITS },
#ifdef OPTION6_PREFIX_CLASS
{ "dhcp-prefix-class", 1, 0, LOPT_PREF_CLSS },
#endif
@@ -485,6 +487,7 @@ static struct {
{ LOPT_DNSSEC_CHECK, OPT_DNSSEC_NO_SIGN, NULL, gettext_noop("Ensure answers without DNSSEC are in unsigned zones."), NULL },
{ LOPT_DNSSEC_TIME, OPT_DNSSEC_TIME, NULL, gettext_noop("Don't check DNSSEC signature timestamps until first cache-reload"), NULL },
{ LOPT_DNSSEC_STAMP, ARG_ONE, "<path>", gettext_noop("Timestamp file to verify system clock for DNSSEC"), NULL },
+ { LOPT_DNSSEC_LIMITS, ARG_ONE, "<limit>,..", gettext_noop("Set resource limits for DNSSEC validation"), NULL },
#ifdef OPTION6_PREFIX_CLASS
{ LOPT_PREF_CLSS, ARG_DUP, "set:tag,<class>", gettext_noop("Specify DHCPv6 prefix class"), NULL },
#endif
@@ -4353,6 +4356,23 @@ err:
}
#ifdef HAVE_DNSSEC
+ case LOPT_DNSSEC_LIMITS:
+ {
+ int lim, val;
+
+ for (lim = LIMIT_SIG_FAIL; arg && lim < LIMIT_MAX ; lim++, arg = comma)
+ {
+ comma = split(arg);
+
+ if (!atoi_check(arg, &val))
+ ret_err(gen_err);
+
+ if (val != 0)
+ daemon->limit[lim] = val;
+ }
+
+ break;
+ }
case LOPT_DNSSEC_STAMP:
daemon->timestamp_file = opt_string_alloc(arg);
break;
@@ -4903,6 +4923,12 @@ void read_opts(int argc, char **argv, char *compile_opts)
daemon->soa_refresh = SOA_REFRESH;
daemon->soa_retry = SOA_RETRY;
daemon->soa_expiry = SOA_EXPIRY;
+#ifdef HAVE_DNSSEC
+ daemon->limit[LIMIT_SIG_FAIL] = DNSSEC_LIMIT_SIG_FAIL;
+ daemon->limit[LIMIT_CRYPTO] = DNSSEC_LIMIT_CRYPTO;
+ daemon->limit[LIMIT_WORK] = DNSSEC_LIMIT_WORK;
+ daemon->limit[LIMIT_NSEC3_ITERS] = DNSSEC_LIMIT_NSEC3_ITERS;
+#endif
daemon->max_port = MAX_PORT;
daemon->min_port = MIN_PORT;
diff --git a/src/rrfilter.c b/src/rrfilter.c
index f5b9c61..b332f29 100644
--- a/src/rrfilter.c
+++ b/src/rrfilter.c
@@ -136,9 +136,9 @@ static int check_rrs(unsigned char *p, struct dns_header *header, size_t plen, i
if (class == C_IN)
{
- u16 *d;
+ short *d;
- for (pp = p, d = rrfilter_desc(type); *d != (u16)-1; d++)
+ for (pp = p, d = rrfilter_desc(type); *d != -1; d++)
{
if (*d != 0)
pp += *d;
@@ -266,7 +266,7 @@ size_t rrfilter(struct dns_header *header, size_t plen, int mode)
}
/* This is used in the DNSSEC code too, hence it's exported */
-u16 *rrfilter_desc(int type)
+short *rrfilter_desc(int type)
{
/* List of RRtypes which include domains in the data.
0 -> domain
@@ -277,7 +277,7 @@ u16 *rrfilter_desc(int type)
anything which needs no mangling.
*/
- static u16 rr_desc[] =
+ static short rr_desc[] =
{
T_NS, 0, -1,
T_MD, 0, -1,
@@ -302,10 +302,10 @@ u16 *rrfilter_desc(int type)
0, -1 /* wildcard/catchall */
};
- u16 *p = rr_desc;
+ short *p = rr_desc;
while (*p != type && *p != 0)
- while (*p++ != (u16)-1);
+ while (*p++ != -1);
return p+1;
}