unbound/unbound-r1670.patch

Index: validator/validator.c
===================================================================
--- validator/validator.c	(revision 1669)
+++ validator/validator.c	(revision 1670)
@@ -479,6 +479,36 @@
 }
 
 /**
+ * Detect wrong truncated response, by a bad recursor out there.
+ * The positive response has a mangled authority section.
+ * Remove that authority section.
+ * @param rep: reply
+ * @return true if a wrongly truncated response.
+ */
+static int
+detect_wrongly_truncated(struct reply_info* rep)
+{
+	size_t i;
+	/* no additional, only NS in authority, and it is bogus */
+	if(rep->ar_numrrsets != 0 || rep->ns_numrrsets != 1 ||
+		rep->an_numrrsets == 0)
+		return 0;
+	if(ntohs(rep->rrsets[ rep->an_numrrsets ]->rk.type) != LDNS_RR_TYPE_NS)
+		return 0;
+	if(((struct packed_rrset_data*)rep->rrsets[ rep->an_numrrsets ]
+		->entry.data)->security != sec_status_bogus)
+		return 0;
+	/* answer section is present and secure */
+	for(i=0; i<rep->an_numrrsets; i++) {
+		if(((struct packed_rrset_data*)rep->rrsets[ i ]
+			->entry.data)->security != sec_status_secure)
+			return 0;
+	}
+	return 1;
+}
+
+
+/**
  * Given a "positive" response -- a response that contains an answer to the
  * question, and no CNAME chain, validate this response. 
  *
@@ -1449,17 +1479,31 @@
 		vq->chase_reply->security = sec_status_bogus;
 		return 1;
 	}
+	subtype = val_classify_response(qstate->query_flags, &qstate->qinfo,
+		&vq->qchase, vq->orig_msg->rep, vq->rrset_skip);
 
 	/* check signatures in the message; 
 	 * answer and authority must be valid, additional is only checked. */
 	if(!validate_msg_signatures(qstate->env, ve, &vq->qchase, 
 		vq->chase_reply, vq->key_entry)) {
-		verbose(VERB_DETAIL, "Validate: message contains bad rrsets");
-		return 1;
+		/* workaround bad recursor out there that truncates (even
+		 * with EDNS4k) to 512 by removing RRSIG from auth section
+		 * for positive replies*/
+		if(subtype == VAL_CLASS_POSITIVE &&
+			detect_wrongly_truncated(vq->orig_msg->rep)) {
+			/* truncate the message some more */
+			vq->orig_msg->rep->ns_numrrsets = 0;
+			vq->orig_msg->rep->rrset_count--;
+			vq->chase_reply->ns_numrrsets = 0;
+			vq->chase_reply->rrset_count--;
+		}
+		else {
+			verbose(VERB_DETAIL, "Validate: message contains "
+				"bad rrsets");
+			return 1;
+		}
 	}
 
-	subtype = val_classify_response(qstate->query_flags, &qstate->qinfo,
-		&vq->qchase, vq->orig_msg->rep, vq->rrset_skip);
 	switch(subtype) {
 		case VAL_CLASS_POSITIVE:
 			verbose(VERB_ALGO, "Validating a positive response");
- Updated to 1.3.0 - Added unbound-python sub package. disabled for now - Patch from svn to fix DLV lookups - Patches from svn to detect wrong truncated response from BIND 9.6.1 with minimal-responses - Added Default-Start and Default-Stop to unbound.init - Re-enabled --enable-sha2 - Re-enabled glob.patch 2009-06-21 04:14:54 +00:00			`Index: validator/validator.c`
			`===================================================================`
			`--- validator/validator.c (revision 1669)`
			`+++ validator/validator.c (revision 1670)`
			`@@ -479,6 +479,36 @@`
			`}`

			`/**`
			`+ * Detect wrong truncated response, by a bad recursor out there.`
			`+ * The positive response has a mangled authority section.`
			`+ * Remove that authority section.`
			`+ * @param rep: reply`
			`+ * @return true if a wrongly truncated response.`
			`+ */`
			`+static int`
			`+detect_wrongly_truncated(struct reply_info* rep)`
			`+{`
			`+ size_t i;`
			`+ /* no additional, only NS in authority, and it is bogus */`
			`+ if(rep->ar_numrrsets != 0 \|\| rep->ns_numrrsets != 1 \|\|`
			`+ rep->an_numrrsets == 0)`
			`+ return 0;`
			`+ if(ntohs(rep->rrsets[ rep->an_numrrsets ]->rk.type) != LDNS_RR_TYPE_NS)`
			`+ return 0;`
			`+ if(((struct packed_rrset_data*)rep->rrsets[ rep->an_numrrsets ]`
			`+ ->entry.data)->security != sec_status_bogus)`
			`+ return 0;`
			`+ /* answer section is present and secure */`
			`+ for(i=0; i<rep->an_numrrsets; i++) {`
			`+ if(((struct packed_rrset_data*)rep->rrsets[ i ]`
			`+ ->entry.data)->security != sec_status_secure)`
			`+ return 0;`
			`+ }`
			`+ return 1;`
			`+}`
			`+`
			`+`
			`+/**`
			`* Given a "positive" response -- a response that contains an answer to the`
			`* question, and no CNAME chain, validate this response.`
			`*`
			`@@ -1449,17 +1479,31 @@`
			`vq->chase_reply->security = sec_status_bogus;`
			`return 1;`
			`}`
			`+ subtype = val_classify_response(qstate->query_flags, &qstate->qinfo,`
			`+ &vq->qchase, vq->orig_msg->rep, vq->rrset_skip);`

			`/* check signatures in the message;`
			`* answer and authority must be valid, additional is only checked. */`
			`if(!validate_msg_signatures(qstate->env, ve, &vq->qchase,`
			`vq->chase_reply, vq->key_entry)) {`
			`- verbose(VERB_DETAIL, "Validate: message contains bad rrsets");`
			`- return 1;`
			`+ /* workaround bad recursor out there that truncates (even`
			`+ * with EDNS4k) to 512 by removing RRSIG from auth section`
			`+ * for positive replies*/`
			`+ if(subtype == VAL_CLASS_POSITIVE &&`
			`+ detect_wrongly_truncated(vq->orig_msg->rep)) {`
			`+ /* truncate the message some more */`
			`+ vq->orig_msg->rep->ns_numrrsets = 0;`
			`+ vq->orig_msg->rep->rrset_count--;`
			`+ vq->chase_reply->ns_numrrsets = 0;`
			`+ vq->chase_reply->rrset_count--;`
			`+ }`
			`+ else {`
			`+ verbose(VERB_DETAIL, "Validate: message contains "`
			`+ "bad rrsets");`
			`+ return 1;`
			`+ }`
			`}`

			`- subtype = val_classify_response(qstate->query_flags, &qstate->qinfo,`
			`- &vq->qchase, vq->orig_msg->rep, vq->rrset_skip);`
			`switch(subtype) {`
			`case VAL_CLASS_POSITIVE:`
			`verbose(VERB_ALGO, "Validating a positive response");`