]> granicus.if.org Git - pdns/commit
projects / pdns / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: da0b87e) | patch
recursor: Prevent DNSSEC downgrade attacks
authorPieter Lexis <pieter.lexis@powerdns.com>
Tue, 31 Oct 2017 21:57:46 +0000 (22:57 +0100)
committerPieter Lexis <pieter.lexis@powerdns.com>
Thu, 2 Nov 2017 15:24:51 +0000 (16:24 +0100)
commit1e332f681bb16a12bf0c5075d058b7ea850f4288
tree399d731539ca99cba2f74aa05e41df8d9e43224btree | snapshot
parentda0b87e02caf5de61eb3bd66448b70655d9e16a5commit | diff
recursor: Prevent DNSSEC downgrade attacks

RFC 4509 section 3: "Validator implementations SHOULD ignore DS RR
containing SHA-1 digests if DS RRs with SHA-256 digests are present in the
DS RRset."

As SHA348 is specified as well, the spirit of the this line is "use the
best algorithm".

This also means that if a delegation has DS records for multiple keys
(and algos) and only a subset have stronger digests, we will discard the
DS records for the weaker digests.
pdns/syncres.cc diff | blob | history
pdns/syncres.hh diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.