41fa06700a
- Added unbound-python sub package. disabled for now
- Patch from svn to fix DLV lookups
- Patches from svn to detect wrong truncated response from BIND 9.6.1 with
minimal-responses
- Added Default-Start and Default-Stop to unbound.init
- Re-enabled --enable-sha2
- Re-enabled glob.patch
78 lines
2.5 KiB
Diff
78 lines
2.5 KiB
Diff
Index: validator/validator.c
|
|
===================================================================
|
|
--- validator/validator.c (revision 1669)
|
|
+++ validator/validator.c (revision 1670)
|
|
@@ -479,6 +479,36 @@
|
|
}
|
|
|
|
/**
|
|
+ * Detect wrong truncated response, by a bad recursor out there.
|
|
+ * The positive response has a mangled authority section.
|
|
+ * Remove that authority section.
|
|
+ * @param rep: reply
|
|
+ * @return true if a wrongly truncated response.
|
|
+ */
|
|
+static int
|
|
+detect_wrongly_truncated(struct reply_info* rep)
|
|
+{
|
|
+ size_t i;
|
|
+ /* no additional, only NS in authority, and it is bogus */
|
|
+ if(rep->ar_numrrsets != 0 || rep->ns_numrrsets != 1 ||
|
|
+ rep->an_numrrsets == 0)
|
|
+ return 0;
|
|
+ if(ntohs(rep->rrsets[ rep->an_numrrsets ]->rk.type) != LDNS_RR_TYPE_NS)
|
|
+ return 0;
|
|
+ if(((struct packed_rrset_data*)rep->rrsets[ rep->an_numrrsets ]
|
|
+ ->entry.data)->security != sec_status_bogus)
|
|
+ return 0;
|
|
+ /* answer section is present and secure */
|
|
+ for(i=0; i<rep->an_numrrsets; i++) {
|
|
+ if(((struct packed_rrset_data*)rep->rrsets[ i ]
|
|
+ ->entry.data)->security != sec_status_secure)
|
|
+ return 0;
|
|
+ }
|
|
+ return 1;
|
|
+}
|
|
+
|
|
+
|
|
+/**
|
|
* Given a "positive" response -- a response that contains an answer to the
|
|
* question, and no CNAME chain, validate this response.
|
|
*
|
|
@@ -1449,17 +1479,31 @@
|
|
vq->chase_reply->security = sec_status_bogus;
|
|
return 1;
|
|
}
|
|
+ subtype = val_classify_response(qstate->query_flags, &qstate->qinfo,
|
|
+ &vq->qchase, vq->orig_msg->rep, vq->rrset_skip);
|
|
|
|
/* check signatures in the message;
|
|
* answer and authority must be valid, additional is only checked. */
|
|
if(!validate_msg_signatures(qstate->env, ve, &vq->qchase,
|
|
vq->chase_reply, vq->key_entry)) {
|
|
- verbose(VERB_DETAIL, "Validate: message contains bad rrsets");
|
|
- return 1;
|
|
+ /* workaround bad recursor out there that truncates (even
|
|
+ * with EDNS4k) to 512 by removing RRSIG from auth section
|
|
+ * for positive replies*/
|
|
+ if(subtype == VAL_CLASS_POSITIVE &&
|
|
+ detect_wrongly_truncated(vq->orig_msg->rep)) {
|
|
+ /* truncate the message some more */
|
|
+ vq->orig_msg->rep->ns_numrrsets = 0;
|
|
+ vq->orig_msg->rep->rrset_count--;
|
|
+ vq->chase_reply->ns_numrrsets = 0;
|
|
+ vq->chase_reply->rrset_count--;
|
|
+ }
|
|
+ else {
|
|
+ verbose(VERB_DETAIL, "Validate: message contains "
|
|
+ "bad rrsets");
|
|
+ return 1;
|
|
+ }
|
|
}
|
|
|
|
- subtype = val_classify_response(qstate->query_flags, &qstate->qinfo,
|
|
- &vq->qchase, vq->orig_msg->rep, vq->rrset_skip);
|
|
switch(subtype) {
|
|
case VAL_CLASS_POSITIVE:
|
|
verbose(VERB_ALGO, "Validating a positive response");
|