Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 10:18:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Rework validate-by-DS to avoid DoS vuln without arbitrary limits.

Browse Source 
By calculating the hash of a DNSKEY once for each digest algo,
we reduce the hashing work from (no. DS) x (no. DNSKEY) to
(no. DNSKEY) x (no. distinct digests)

The number of distinct digests can never be more than 255 and
it's limited by which hashes we implement, so currently only 4.
This commit is contained in:
Simon Kelley
2024-01-04 15:57:43 +00:00
parent 06945c4b77
commit 6f23a0a75e
5 changed files with 150 additions and 166 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/option.c
View File

@@ -5870,8 +5870,6 @@ void read_opts(int argc, char **argv, char *compile_opts)
daemon->host_index = SRC_AH;
daemon->max_procs = MAX_PROCS;
#ifdef HAVE_DNSSEC
daemon->limit_key_fail = LIMIT_KEY_FAIL;
daemon->limit_ds_fail = LIMIT_DS_FAIL;
daemon->limit_sig_fail = LIMIT_SIG_FAIL;
daemon->limit_crypto = LIMIT_CRYPTO;
daemon->limit_work = DNSSEC_WORK;