Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 10:18:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Rework validate-by-DS to avoid DoS vuln without arbitrary limits.

Browse Source 
By calculating the hash of a DNSKEY once for each digest algo,
we reduce the hashing work from (no. DS) x (no. DNSKEY) to
(no. DNSKEY) x (no. distinct digests)

The number of distinct digests can never be more than 255 and
it's limited by which hashes we implement, so currently only 4.
This commit is contained in:
Simon Kelley
2024-01-04 15:57:43 +00:00
parent 06945c4b77
commit 6f23a0a75e
5 changed files with 150 additions and 166 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/dnsmasq.h
View File

@@ -1243,7 +1243,7 @@ extern struct daemon {
int rr_status_sz;
int dnssec_no_time_check;
int back_to_the_future;
int limit_key_fail, limit_ds_fail, limit_sig_fail, limit_crypto, limit_work, limit_nsec3_iters;
int limit_sig_fail, limit_crypto, limit_work, limit_nsec3_iters;
#endif
struct frec *frec_list;
struct frec_src *free_frec_src;