From: Chris Staite <ch...@yourdreamnet.co.uk> Fixes the case where a CNAME is valid and unsigned and the target of the CNAME is valid and signed.
The use case is as follows: 1) Query for a record. 2) Response is a CNAME which is valid but unsigned, but points to a record that is signed 3) Code checks unsigned and is happy with that (verifying NSEC) 4) Code checks CNAME and is happy with that (verifying the RRset) 5) Final validation sees a secure response in the answer set when the sigcnt for the response is 0 (because the CNAME was unsigned) and returns BOGUS The correct response here should be to return an INSECURE response (throwing away the secure check for the forwarded domain). One could argue it’s not worth validating the CNAME target if it isn’t signed itself... That’s an alternative, but we might as well make it as hard for the attacker as possible I suppose? --- src/dnssec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/dnssec.c b/src/dnssec.c index 9965eea..ceb6250 100644 --- a/src/dnssec.c +++ b/src/dnssec.c @@ -2004,6 +2004,9 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch if (STAT_ISEQUAL(rc, STAT_SECURE)) rc = STAT_BOGUS | DNSSEC_FAIL_NOSIG; + if (STAT_ISEQUAL(rc, STAT_INSECURE) && type1 == T_CNAME) + check_unsigned = 0; + if (class) *class = class1; /* Class for NEED_DS or NEED_KEY */ } -- 2.31.1 _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss