From: Chris Staite <ch...@yourdreamnet.co.uk>
Fixes the case where a CNAME is valid and unsigned and the target of the
CNAME is valid and signed.
The use case is as follows:
1) Query for a record.
2) Response is a CNAME which is valid but unsigned,
but points to a record that is signed
3) Code checks unsigned and is happy with that (verifying NSEC)
4) Code checks CNAME and is happy with that (verifying the RRset)
5) Final validation sees a secure response in the answer set when
the sigcnt for the response is 0 (because the CNAME was unsigned)
and returns BOGUS
The correct response here should be to return an INSECURE response
(throwing away the secure check for the forwarded domain). One could
argue it’s not worth validating the CNAME target if it isn’t signed
itself... That’s an alternative, but we might as well make it as hard
for the attacker as possible I suppose?
---
src/dnssec.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/dnssec.c b/src/dnssec.c
index 9965eea..ceb6250 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -2004,6 +2004,9 @@ int dnssec_validate_reply(time_t now, struct dns_header
*header, size_t plen, ch
if (STAT_ISEQUAL(rc, STAT_SECURE))
rc = STAT_BOGUS | DNSSEC_FAIL_NOSIG;
+ if (STAT_ISEQUAL(rc, STAT_INSECURE) && type1 == T_CNAME)
+ check_unsigned = 0;
+
if (class)
*class = class1; /* Class for NEED_DS or NEED_KEY */
}
--
2.31.1
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
