Skip to content

Commit

Permalink
- Fix to limit NSEC and NSEC3 TTL when aggressive nsec is
Browse files Browse the repository at this point in the history
  enabled (RFC9077).
  • Loading branch information
wcawijngaards committed Sep 10, 2024
1 parent d3fdbba commit 24e0f0a
Show file tree
Hide file tree
Showing 2 changed files with 50 additions and 1 deletion.
4 changes: 4 additions & 0 deletions doc/Changelog
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
10 September 2024: Wouter
- Fix to limit NSEC and NSEC3 TTL when aggressive nsec is
enabled (RFC9077).

6 September 2024: Yorgos
- Fix alloc-size and calloc-transposed-args compiler warnings.
- Fix comment to not trigger doxygen unknown command.
Expand Down
47 changes: 46 additions & 1 deletion iterator/iterator.c
Original file line number Diff line number Diff line change
Expand Up @@ -367,6 +367,48 @@ error_response_cache(struct module_qstate* qstate, int id, int rcode)
return error_response(qstate, id, rcode);
}

/** limit NSEC and NSEC3 TTL in response, RFC9077 */
static void
limit_nsec_ttl(struct dns_msg* msg)
{
size_t i;
int found = 0;
time_t soa_ttl = 0;
/* Limit the NSEC and NSEC3 TTL values to the SOA TTL and SOA minimum
* TTL. That has already been applied to the SOA record ttl. */
for(i=0; i<msg->rep->rrset_count; i++) {
struct ub_packed_rrset_key* s = msg->rep->rrsets[i];
if(ntohs(s->rk.type) == LDNS_RR_TYPE_SOA) {
struct packed_rrset_data* soadata = (struct packed_rrset_data*)s->entry.data;
found = 1;
soa_ttl = soadata->ttl;
break;
}
}
if(!found)
return;
for(i=0; i<msg->rep->rrset_count; i++) {
struct ub_packed_rrset_key* s = msg->rep->rrsets[i];
if(ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC ||
ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC3) {
struct packed_rrset_data* data = (struct packed_rrset_data*)s->entry.data;
/* Limit the negative TTL. */
if(data->ttl > soa_ttl) {
if(verbosity >= VERB_ALGO) {
char buf[256];
snprintf(buf, sizeof(buf),
"limiting TTL %d of %s record to the SOA TTL of %d for",
(int)data->ttl, ((ntohs(s->rk.type) == LDNS_RR_TYPE_NSEC)?"NSEC":"NSEC3"), (int)soa_ttl);
log_nametypeclass(VERB_ALGO, buf,
s->rk.dname, ntohs(s->rk.type),
ntohs(s->rk.rrset_class));
}
data->ttl = soa_ttl;
}
}
}
}

/** check if prepend item is duplicate item */
static int
prepend_is_duplicate(struct ub_packed_rrset_key** sets, size_t to,
Expand Down Expand Up @@ -4366,7 +4408,10 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
if(verbosity >= VERB_ALGO)
log_dns_msg("incoming scrubbed packet:", &iq->response->qinfo,
iq->response->rep);


if(qstate->env->cfg->aggressive_nsec) {
limit_nsec_ttl(iq->response);
}
if(event == module_event_capsfail || iq->caps_fallback) {
if(qstate->env->cfg->qname_minimisation &&
iq->minimisation_state != DONOT_MINIMISE_STATE) {
Expand Down

0 comments on commit 24e0f0a

Please sign in to comment.