1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
From: =?utf-8?b?VmxhZGltw61yIMSMdW7DoXQ=?= <vladimir.cunat@nic.cz>
Date: Mon, 12 Feb 2024 11:16:47 +0100
Subject: validator: refuse to validate answers with more than 8 NSEC3 records
---
lib/layer/validate.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/lib/layer/validate.c b/lib/layer/validate.c
index 5fea99d..95a7624 100644
--- a/lib/layer/validate.c
+++ b/lib/layer/validate.c
@@ -1120,6 +1120,24 @@ static int validate(kr_layer_t *ctx, knot_pkt_t *pkt)
}
}
+ /* Check for too many NSEC3 records. That's an issue, as some parts of validation
+ * are quadratic in their count, doing nontrivial computations inside.
+ * Also there seems to be no use in sending many NSEC3 records. */
+ if (!qry->flags.CACHED) {
+ const knot_pktsection_t *sec = knot_pkt_section(pkt, KNOT_AUTHORITY);
+ int count = 0;
+ for (int i = 0; i < sec->count; ++i)
+ count += (knot_pkt_rr(sec, i)->type == KNOT_RRTYPE_NSEC3);
+ if (count > 8) {
+ VERBOSE_MSG(qry, "<= too many NSEC3 records in AUTHORITY (%d)\n", count);
+ kr_request_set_extended_error(req, KNOT_EDNS_EDE_NSEC3_ITERS,
+ /* It's not about iteration values per se, but close enough. */
+ "DYRH: too many NSEC3 records");
+ qry->flags.DNSSEC_BOGUS = true;
+ return KR_STATE_FAIL;
+ }
+ }
+
if (knot_wire_get_aa(pkt->wire) && qtype == KNOT_RRTYPE_DNSKEY) {
const knot_rrset_t *ds = qry->zone_cut.trust_anchor;
if (ds && !kr_ds_algo_support(ds)) {
|