diff options
Diffstat (limited to 'src/resolve/resolved-dns-transaction.c')
-rw-r--r-- | src/resolve/resolved-dns-transaction.c | 19 |
1 files changed, 16 insertions, 3 deletions
diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c index 1850d45..21326fa 100644 --- a/src/resolve/resolved-dns-transaction.c +++ b/src/resolve/resolved-dns-transaction.c @@ -3172,11 +3172,14 @@ static int dnssec_validate_records( DnsTransaction *t, Phase phase, bool *have_nsec, + unsigned *nvalidations, DnsAnswer **validated) { DnsResourceRecord *rr; int r; + assert(nvalidations); + /* Returns negative on error, 0 if validation failed, 1 to restart validation, 2 when finished. */ DNS_ANSWER_FOREACH(rr, t->answer) { @@ -3218,6 +3221,7 @@ static int dnssec_validate_records( &rrsig); if (r < 0) return r; + *nvalidations += r; log_debug("Looking at %s: %s", strna(dns_resource_record_to_string(rr)), dnssec_result_to_string(result)); @@ -3415,7 +3419,8 @@ static int dnssec_validate_records( DNSSEC_SIGNATURE_EXPIRED, DNSSEC_NO_SIGNATURE)) manager_dnssec_verdict(t->scope->manager, DNSSEC_BOGUS, rr->key); - else /* DNSSEC_MISSING_KEY or DNSSEC_UNSUPPORTED_ALGORITHM */ + else /* DNSSEC_MISSING_KEY, DNSSEC_UNSUPPORTED_ALGORITHM, + or DNSSEC_TOO_MANY_VALIDATIONS */ manager_dnssec_verdict(t->scope->manager, DNSSEC_INDETERMINATE, rr->key); /* This is a primary response to our question, and it failed validation. @@ -3508,13 +3513,21 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) { return r; phase = DNSSEC_PHASE_DNSKEY; - for (;;) { + for (unsigned nvalidations = 0;;) { bool have_nsec = false; - r = dnssec_validate_records(t, phase, &have_nsec, &validated); + r = dnssec_validate_records(t, phase, &have_nsec, &nvalidations, &validated); if (r <= 0) return r; + if (nvalidations > DNSSEC_VALIDATION_MAX) { + /* This reply requires an onerous number of signature validations to verify. Let's + * not waste our time trying, as this shouldn't happen for well-behaved domains + * anyway. */ + t->answer_dnssec_result = DNSSEC_TOO_MANY_VALIDATIONS; + return 0; + } + /* Try again as long as we managed to achieve something */ if (r == 1) continue; |