From 28b66a9478002eeab98650bc314fd37799985cc1 Mon Sep 17 00:00:00 2001 From: Kees Monshouwer Date: Sun, 20 Jul 2014 13:15:53 +0200 Subject: [PATCH] limit the number of NSEC3 iterations RFC5155 10.3 --- pdns/common_startup.cc | 1 + pdns/dbdnsseckeeper.cc | 11 ++++++++++- pdns/pdns.conf-dist | 5 +++++ pdns/pdnssec.cc | 1 + pdns/rfc2136handler.cc | 5 +++++ 5 files changed, 22 insertions(+), 1 deletion(-) diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc index ce7184e96..cff84a2fb 100644 --- a/pdns/common_startup.cc +++ b/pdns/common_startup.cc @@ -159,6 +159,7 @@ void declareArguments() ::arg().set("default-ksk-size","Default KSK size (0 means default)")="0"; ::arg().set("default-zsk-algorithms","Default ZSK algorithms")="rsasha256"; ::arg().set("default-zsk-size","Default ZSK size (0 means default)")="0"; + ::arg().set("max-nsec3-iterations","Limit the number of NSEC3 hash iterations")="500"; // RFC5155 10.3 ::arg().set("include-dir","Include *.conf files from this directory"); } diff --git a/pdns/dbdnsseckeeper.cc b/pdns/dbdnsseckeeper.cc index 1c7c7242f..da7b37f56 100644 --- a/pdns/dbdnsseckeeper.cc +++ b/pdns/dbdnsseckeeper.cc @@ -233,11 +233,16 @@ bool DNSSECKeeper::getNSEC3PARAM(const std::string& zname, NSEC3PARAMRecordConte if(value.empty()) { // "no NSEC3" return false; } - + + static int maxNSEC3Iterations=::arg().asNum("max-nsec3-iterations"); if(ns3p) { NSEC3PARAMRecordContent* tmp=dynamic_cast(DNSRecordContent::mastermake(QType::NSEC3PARAM, 1, value)); *ns3p = *tmp; delete tmp; + if (ns3p->d_iterations > maxNSEC3Iterations) { + ns3p->d_iterations = maxNSEC3Iterations; + L< maxNSEC3Iterations) + throw runtime_error("Can't set NSEC3PARAM for zone '"+zname+"': number of NSEC3 iterations is above 'max-nsec3-iterations'"); + clearCaches(zname); string descr = ns3p.getZoneRepresentation(); vector meta; diff --git a/pdns/pdns.conf-dist b/pdns/pdns.conf-dist index f74fc73ec..fc767ac65 100644 --- a/pdns/pdns.conf-dist +++ b/pdns/pdns.conf-dist @@ -264,6 +264,11 @@ # # max-ent-entries=100000 +################################# +# max-nsec3-iterations Limit the number of NSEC3 hash iterations +# +# max-nsec3-iterations=500 + ################################# # max-queue-length Maximum queuelength before considering situation lost # diff --git a/pdns/pdnssec.cc b/pdns/pdnssec.cc index 9379461d7..06687b794 100644 --- a/pdns/pdnssec.cc +++ b/pdns/pdnssec.cc @@ -137,6 +137,7 @@ void loadMainConfig(const std::string& configdir) ::arg().set("entropy-source", "If set, read entropy from this file")="/dev/urandom"; ::arg().setSwitch("direct-dnskey","Fetch DNSKEY RRs from backend during DNSKEY synthesis")="no"; + ::arg().set("max-nsec3-iterations","Limit the number of NSEC3 hash iterations")="500"; // RFC5155 10.3 ::arg().laxFile(configname.c_str()); BackendMakers().launch(::arg()["launch"]); // vrooooom! diff --git a/pdns/rfc2136handler.cc b/pdns/rfc2136handler.cc index 408b16ad1..d4dadf778 100644 --- a/pdns/rfc2136handler.cc +++ b/pdns/rfc2136handler.cc @@ -921,6 +921,11 @@ int PacketHandler::processUpdate(DNSPacket *p) { di.backend->abortTransaction(); return RCode::ServFail; } + catch(std::exception &e) { + L<abortTransaction(); + return RCode::ServFail; + } catch (...) { L<abortTransaction(); -- 2.49.0