]> granicus.if.org Git - pdns/commitdiff
projects / pdns / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 8585562)
rec: Guard against out-of-bailiwick signatures
authorRemi Gacogne <remi.gacogne@powerdns.com>
Fri, 18 Aug 2017 10:32:51 +0000 (12:32 +0200)
committerRemi Gacogne <remi.gacogne@powerdns.com>
Sun, 26 Nov 2017 09:26:04 +0000 (10:26 +0100)
Similar issue to the one fixed in Knot Resolver 1.3.3:

https://gitlab.labs.nic.cz/knot/knot-resolver/commit/d7d7cae5a339ec4b0a280184af3a46d89c08bc09

pdns/validate-recursor.cc patch | blob | history

diff --git a/pdns/validate-recursor.cc b/pdns/validate-recursor.cc
index 799ed053615509b7742d652638d05a8e25c0d697..1aca8cfc02a4e0820781fea8f2b7854e246d2743 100644 (file)
--- a/pdns/validate-recursor.cc
+++ b/pdns/validate-recursor.cc
@@ -87,6 +87,11 @@ vState validateRecords(const ResolveContext& ctx, const vector<DNSRecord>& recs)
     bool first = true;
     for(const auto& csp : cspmap) {
       for(const auto& sig : csp.second.signatures) {
+
+        if (!csp.first.first.isPartOf(sig->d_signer)) {
+          return increaseDNSSECStateCounter(Bogus);
+        }
+
         vState newState = getKeysFor(sro, sig->d_signer, keys); // XXX check validity here
 
         if (newState == Bogus) // No hope
Unnamed repository; edit this file 'description' to name the repository.