diff options
Diffstat (limited to 'src/resolve/resolved-dns-dnssec.c')
-rw-r--r-- | src/resolve/resolved-dns-dnssec.c | 21 |
1 files changed, 17 insertions, 4 deletions
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c index f63cd9b..71a915f 100644 --- a/src/resolve/resolved-dns-dnssec.c +++ b/src/resolve/resolved-dns-dnssec.c @@ -27,8 +27,9 @@ DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EC_KEY*, EC_KEY_free, NULL); /* Permit a maximum clock skew of 1h 10min. This should be enough to deal with DST confusion */ #define SKEW_MAX (1*USEC_PER_HOUR + 10*USEC_PER_MINUTE) -/* Maximum number of NSEC3 iterations we'll do. RFC5155 says 2500 shall be the maximum useful value */ -#define NSEC3_ITERATIONS_MAX 2500 +/* Maximum number of NSEC3 iterations we'll do. RFC5155 says 2500 shall be the maximum useful value, but + * RFC9276 ยง 3.2 says that we should reduce the acceptable iteration count */ +#define NSEC3_ITERATIONS_MAX 100 /* * The DNSSEC Chain of trust: @@ -1176,6 +1177,7 @@ int dnssec_verify_rrset_search( DnsResourceRecord **ret_rrsig) { bool found_rrsig = false, found_invalid = false, found_expired_rrsig = false, found_unsupported_algorithm = false; + unsigned nvalidations = 0; DnsResourceRecord *rrsig; int r; @@ -1221,6 +1223,14 @@ int dnssec_verify_rrset_search( if (realtime == USEC_INFINITY) realtime = now(CLOCK_REALTIME); + /* Have we seen an unreasonable number of invalid signaures? */ + if (nvalidations > DNSSEC_INVALID_MAX) { + if (ret_rrsig) + *ret_rrsig = NULL; + *result = DNSSEC_TOO_MANY_VALIDATIONS; + return (int) nvalidations; + } + /* Yay, we found a matching RRSIG with a matching * DNSKEY, awesome. Now let's verify all entries of * the RRSet against the RRSIG and DNSKEY @@ -1230,6 +1240,8 @@ int dnssec_verify_rrset_search( if (r < 0) return r; + nvalidations++; + switch (one_result) { case DNSSEC_VALIDATED: @@ -1240,7 +1252,7 @@ int dnssec_verify_rrset_search( *ret_rrsig = rrsig; *result = one_result; - return 0; + return (int) nvalidations; case DNSSEC_INVALID: /* If the signature is invalid, let's try another @@ -1287,7 +1299,7 @@ int dnssec_verify_rrset_search( if (ret_rrsig) *ret_rrsig = NULL; - return 0; + return (int) nvalidations; } int dnssec_has_rrsig(DnsAnswer *a, const DnsResourceKey *key) { @@ -2571,6 +2583,7 @@ static const char* const dnssec_result_table[_DNSSEC_RESULT_MAX] = { [DNSSEC_FAILED_AUXILIARY] = "failed-auxiliary", [DNSSEC_NSEC_MISMATCH] = "nsec-mismatch", [DNSSEC_INCOMPATIBLE_SERVER] = "incompatible-server", + [DNSSEC_TOO_MANY_VALIDATIONS] = "too-many-validations", }; DEFINE_STRING_TABLE_LOOKUP(dnssec_result, DnssecResult); |