Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 10:18:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Process RRSIGs also in authority and additional sections.

Browse Source
This commit is contained in:
Giovanni Bajo
2012-04-28 12:22:41 +02:00
committed by Simon Kelley
parent e83297d0f6
commit 23c2176681
1 changed files with 24 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
src/dnssec.c
View File

@@ -435,17 +435,18 @@ int dnssec_validate(struct dns_header *header, size_t pktlen)
{ {
unsigned char *p, *reply; unsigned char *p, *reply;
char *owner = daemon->namebuff; char *owner = daemon->namebuff;
int i, qtype, qclass, rdlen; int i, s, qtype, qclass, rdlen;
unsigned long ttl; unsigned long ttl;
int slen[3] = { ntohs(header->ancount), ntohs(header->nscount), ntohs(header->arcount) };
if (header->ancount == 0) if (slen[0] + slen[1] + slen[2] == 0)
return 0; return 0;
if (!(reply = p = skip_questions(header, pktlen))) if (!(reply = p = skip_questions(header, pktlen)))
return 0; return 0;
/* First, process DNSKEY/DS records and add them to the cache. */ /* First, process DNSKEY/DS records and add them to the cache. */
cache_start_insert(); cache_start_insert();
for (i = 0; i < ntohs(header->ancount); i++) for (i = 0; i < slen[0]; i++)
{ {
if (!extract_name(header, pktlen, &p, owner, 1, 10)) if (!extract_name(header, pktlen, &p, owner, 1, 10))
return 0; return 0;
@@ -471,25 +472,29 @@ int dnssec_validate(struct dns_header *header, size_t pktlen)
We want to do this in a separate step because we want the cache We want to do this in a separate step because we want the cache
to be already populated with DNSKEYs before parsing signatures. */ to be already populated with DNSKEYs before parsing signatures. */
p = reply; p = reply;
for (i = 0; i < ntohs(header->ancount); i++) for (s = 0; s < 3; ++s)
{ {
if (!extract_name(header, pktlen, &p, owner, 1, 10)) reply = p;
return 0; for (i = 0; i < slen[s]; i++)
GETSHORT(qtype, p);
GETSHORT(qclass, p);
GETLONG(ttl, p);
GETSHORT(rdlen, p);
if (qtype == T_RRSIG)
{ {
printf("RRSIG found (owner: %s)\n", owner); if (!extract_name(header, pktlen, &p, owner, 1, 10))
/* TODO: missing logic. We should only validate RRSIGs for which we return 0;
have a valid DNSKEY that is referenced by a DS record upstream. GETSHORT(qtype, p);
There is a memory vs CPU conflict here; should we validate everything GETSHORT(qclass, p);
to save memory and thus waste CPU, or better first acquire all information GETLONG(ttl, p);
(wasting memory) and then doing the minimum CPU computations required? */ GETSHORT(rdlen, p);
dnssec_parserrsig(header, pktlen, reply, ntohs(header->ancount), owner, qclass, rdlen, p); if (qtype == T_RRSIG)
{
printf("RRSIG found (owner: %s)\n", owner);
/* TODO: missing logic. We should only validate RRSIGs for which we
have a valid DNSKEY that is referenced by a DS record upstream.
There is a memory vs CPU conflict here; should we validate everything
to save memory and thus waste CPU, or better first acquire all information
(wasting memory) and then doing the minimum CPU computations required? */
dnssec_parserrsig(header, pktlen, reply, slen[s], owner, qclass, rdlen, p);
}
p += rdlen;
} }
p += rdlen;
} }
return 1; return 1;