From c7fbe6c91794a99d7f5aae4338d7b6435ce49146 Mon Sep 17 00:00:00 2001 From: Pieter Lexis Date: Tue, 10 May 2016 12:47:46 +0200 Subject: [PATCH] Check/fix invalid NSEC3PARAM hash algo --- modules/bindbackend/binddnssec.cc | 5 +++++ pdns/dbdnsseckeeper.cc | 7 +++++++ 2 files changed, 12 insertions(+) diff --git a/modules/bindbackend/binddnssec.cc b/modules/bindbackend/binddnssec.cc index 9d15e61e5..7e033569a 100644 --- a/modules/bindbackend/binddnssec.cc +++ b/modules/bindbackend/binddnssec.cc @@ -172,6 +172,11 @@ bool Bind2Backend::getNSEC3PARAM(const DNSName& name, NSEC3PARAMRecordContent* n ns3p->d_iterations = maxNSEC3Iterations; L<d_algorithm != 1) { + L<d_algorithm)<<"', setting to 1 for zone '"<d_algorithm = 1; + } } return true; diff --git a/pdns/dbdnsseckeeper.cc b/pdns/dbdnsseckeeper.cc index e12fae21e..644c78251 100644 --- a/pdns/dbdnsseckeeper.cc +++ b/pdns/dbdnsseckeeper.cc @@ -265,6 +265,10 @@ bool DNSSECKeeper::getNSEC3PARAM(const DNSName& zname, NSEC3PARAMRecordContent* ns3p->d_iterations = maxNSEC3Iterations; L<d_algorithm != 1) { + L<d_algorithm)<<"', setting to 1 for zone '"<d_algorithm = 1; + } } if(narrow) { getFromMeta(zname, "NSEC3NARROW", value); @@ -279,6 +283,9 @@ bool DNSSECKeeper::setNSEC3PARAM(const DNSName& zname, const NSEC3PARAMRecordCon if (ns3p.d_iterations > maxNSEC3Iterations) throw runtime_error("Can't set NSEC3PARAM for zone '"+zname.toString()+"': number of NSEC3 iterations is above 'max-nsec3-iterations'"); + if (ns3p.d_algorithm != 1) + throw runtime_error("Invalid hash algorithm for NSEC3: '"+std::to_string(ns3p.d_algorithm)+"' for zone '"+zname.toString()+"'. The only valid value is '1'"); + clearCaches(zname); string descr = ns3p.getZoneRepresentation(); vector meta; -- 2.40.0