diff options
| author | Vladimír Čunát <vladimir.cunat@nic.cz> | 2017-08-09 14:19:39 +0200 |
|---|---|---|
| committer | Vladimír Čunát <vladimir.cunat@nic.cz> | 2017-08-09 14:19:39 +0200 |
| commit | 20f3b92a690f4a8e9f1455d4ce27832c21d9343a (patch) | |
| tree | 71ea519804d07fa9843527458806a67ed81403ad | |
| parent | Merge !349: modules/http: fix compatibility with Prometheus (diff) | |
| parent | gitlab CI: try to fix it (diff) | |
| download | knot-resolver-1.3.3.tar.xz knot-resolver-1.3.3.zip | |
Merge !350: Release 1.3.3v1.3.3
| -rw-r--r-- | .gitlab-ci.yml | 7 | ||||
| -rw-r--r-- | NEWS | 8 | ||||
| -rw-r--r-- | config.mk | 2 | ||||
| -rw-r--r-- | daemon/README.rst | 1 | ||||
| -rw-r--r-- | lib/dnssec.c | 23 | ||||
| -rw-r--r-- | lib/dnssec.h | 12 |
6 files changed, 36 insertions, 17 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 8f24cf6c..c31d8667 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -30,8 +30,11 @@ test:linux:amd64: deckard:linux:amd64: stage: test script: - - LC_ALL=C.UTF-8 add-apt-repository ppa:raphink/augeas -y - - apt-get install -y python-yaml python-augeas + - apt purge -y python-dnspython python3-dnspython + - apt update + - apt install python-pip libffi-dev libaugeas-dev -y + - pip install --upgrade pip + - pip install --user dnspython pyyaml python-augeas - PREFIX=$(pwd)/.local MAKEFLAGS="--jobs $(nproc) --keep-going" make check-integration dependencies: - build:linux:amd64 @@ -1,6 +1,12 @@ -Knot Resolver 1.3.3 (2017-0_-__) +Knot Resolver 1.3.3 (2017-08-09) ================================ +Security +-------- +- Fix a critical DNSSEC flaw. Signatures might be accepted as valid + even if the signed data was not in bailiwick of the DNSKEY used to + sign it, assuming the trust chain to that DNSKEY was valid. + Bugfixes -------- - iterate: skip RRSIGs with bad label count instead of immediate SERVFAIL @@ -1,7 +1,7 @@ # Project MAJOR := 1 MINOR := 3 -PATCH := 2 +PATCH := 3 EXTRA := ABIVER := 3 BUILDMODE := dynamic diff --git a/daemon/README.rst b/daemon/README.rst index f8e70b5f..7e5e1d35 100644 --- a/daemon/README.rst +++ b/daemon/README.rst @@ -147,6 +147,7 @@ The daemon also supports `systemd socket activation`_, it is automatically detec To run the daemon by hand, such as under ``nohup``, use ``-f 1`` to start a single fork. For example: .. code-block:: bash + $ nohup ./daemon/kresd -a 127.0.0.1 -f 1 & diff --git a/lib/dnssec.c b/lib/dnssec.c index dcfd8298..98a89d63 100644 --- a/lib/dnssec.c +++ b/lib/dnssec.c @@ -36,6 +36,10 @@ #include "lib/dnssec.h" #include "lib/resolve.h" +/* forward */ +static int kr_rrset_validate_with_key(kr_rrset_validation_ctx_t *vctx, + const knot_rrset_t *covered, size_t key_pos, const struct dseckey *key); + void kr_crypto_init(void) { dnssec_crypto_init(); @@ -147,7 +151,16 @@ int kr_rrset_validate(kr_rrset_validation_ctx_t *vctx, const knot_rrset_t *cover return kr_error(ENOENT); } -int kr_rrset_validate_with_key(kr_rrset_validation_ctx_t *vctx, +/** + * Validate RRSet using a specific key. + * @param vctx Pointer to validation context. + * @param covered RRSet covered by a signature. It must be in canonical format. + * @param key_pos Position of the key to be validated with. + * @param key Key to be used to validate. + * If NULL, then key from DNSKEY RRSet is used. + * @return 0 or error code, same as vctx->result. + */ +static int kr_rrset_validate_with_key(kr_rrset_validation_ctx_t *vctx, const knot_rrset_t *covered, size_t key_pos, const struct dseckey *key) { @@ -157,6 +170,14 @@ int kr_rrset_validate_with_key(kr_rrset_validation_ctx_t *vctx, uint32_t timestamp = vctx->timestamp; bool has_nsec3 = vctx->has_nsec3; struct dseckey *created_key = NULL; + + /* It's just caller's approximation that the RR is in that particular zone. + * We MUST guard against attempts of zones signing out-of-bailiwick records. */ + if (!knot_dname_in(zone_name, covered->owner)) { + vctx->result = kr_error(ENOENT); + return vctx->result; + } + if (key == NULL) { const knot_rdata_t *krr = knot_rdataset_at(&keys->rrs, key_pos); int ret = kr_dnssec_key_from_rdata(&created_key, keys->owner, diff --git a/lib/dnssec.h b/lib/dnssec.h index ff173f69..7c6d2a52 100644 --- a/lib/dnssec.h +++ b/lib/dnssec.h @@ -72,18 +72,6 @@ int kr_rrset_validate(kr_rrset_validation_ctx_t *vctx, const knot_rrset_t *covered); /** - * Validate RRSet using a specific key. - * @param vctx Pointer to validation context. - * @param covered RRSet covered by a signature. It must be in canonical format. - * @param key_pos Position of the key to be validated with. - * @param key Key to be used to validate. - * If NULL, then key from DNSKEY RRSet is used. - * @return 0 or error code, same as vctx->result. - */ -int kr_rrset_validate_with_key(kr_rrset_validation_ctx_t *vctx, - const knot_rrset_t *covered, - size_t key_pos, const struct dseckey *key); -/** * Check whether the DNSKEY rrset matches the supplied trust anchor RRSet. * @param vctx Pointer to validation context. * @param ta Trust anchor RRSet against which to validate the DNSKEY RRSet. |