diff options
| author | Vladimír Čunát <vladimir.cunat@nic.cz> | 2024-02-12 11:16:47 +0100 |
|---|---|---|
| committer | Vladimír Čunát <vladimir.cunat@nic.cz> | 2024-02-12 11:20:01 +0100 |
| commit | a05cf1d379d1af0958587bd111f791b72f404364 (patch) | |
| tree | 6d46f51a4b913eb45e65ebc052e9fc72dece4d40 /lib/layer/validate.c | |
| parent | validator: limit the amount of work on SHA1 in NSEC3 proofs (diff) | |
| download | knot-resolver-a05cf1d379d1af0958587bd111f791b72f404364.tar.xz knot-resolver-a05cf1d379d1af0958587bd111f791b72f404364.zip | |
validator: refuse to validate answers with more than 8 NSEC3 records
Diffstat (limited to '')
| -rw-r--r-- | lib/layer/validate.c | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/lib/layer/validate.c b/lib/layer/validate.c index 1b1237da..a2144660 100644 --- a/lib/layer/validate.c +++ b/lib/layer/validate.c @@ -1120,6 +1120,24 @@ static int validate(kr_layer_t *ctx, knot_pkt_t *pkt) } } + /* Check for too many NSEC3 records. That's an issue, as some parts of validation + * are quadratic in their count, doing nontrivial computations inside. + * Also there seems to be no use in sending many NSEC3 records. */ + if (!qry->flags.CACHED) { + const knot_pktsection_t *sec = knot_pkt_section(pkt, KNOT_AUTHORITY); + int count = 0; + for (int i = 0; i < sec->count; ++i) + count += (knot_pkt_rr(sec, i)->type == KNOT_RRTYPE_NSEC3); + if (count > 8) { + VERBOSE_MSG(qry, "<= too many NSEC3 records in AUTHORITY (%d)\n", count); + kr_request_set_extended_error(req, KNOT_EDNS_EDE_NSEC3_ITERS, + /* It's not about iteration values per se, but close enough. */ + "DYRH: too many NSEC3 records"); + qry->flags.DNSSEC_BOGUS = true; + return KR_STATE_FAIL; + } + } + if (knot_wire_get_aa(pkt->wire) && qtype == KNOT_RRTYPE_DNSKEY) { const knot_rrset_t *ds = qry->zone_cut.trust_anchor; if (ds && !kr_ds_algo_support(ds)) { |