1 /* 2 * iterator/iter_scrub.c - scrubbing, normalization, sanitization of DNS msgs. 3 * 4 * Copyright (c) 2007, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file has routine(s) for cleaning up incoming DNS messages from 40 * possible useless or malicious junk in it. 41 */ 42 #include "config.h" 43 #include "iterator/iter_scrub.h" 44 #include "iterator/iterator.h" 45 #include "iterator/iter_priv.h" 46 #include "services/cache/rrset.h" 47 #include "util/log.h" 48 #include "util/net_help.h" 49 #include "util/regional.h" 50 #include "util/config_file.h" 51 #include "util/module.h" 52 #include "util/data/msgparse.h" 53 #include "util/data/dname.h" 54 #include "util/data/msgreply.h" 55 #include "util/alloc.h" 56 #include "sldns/sbuffer.h" 57 58 /** RRset flag used during scrubbing. The RRset is OK. */ 59 #define RRSET_SCRUB_OK 0x80 60 61 /** remove rrset, update loop variables */ 62 static void 63 remove_rrset(const char* str, sldns_buffer* pkt, struct msg_parse* msg, 64 struct rrset_parse* prev, struct rrset_parse** rrset) 65 { 66 if(verbosity >= VERB_QUERY && str 67 && (*rrset)->dname_len <= LDNS_MAX_DOMAINLEN) { 68 uint8_t buf[LDNS_MAX_DOMAINLEN+1]; 69 dname_pkt_copy(pkt, buf, (*rrset)->dname); 70 log_nametypeclass(VERB_QUERY, str, buf, 71 (*rrset)->type, ntohs((*rrset)->rrset_class)); 72 } 73 if(prev) 74 prev->rrset_all_next = (*rrset)->rrset_all_next; 75 else msg->rrset_first = (*rrset)->rrset_all_next; 76 if(msg->rrset_last == *rrset) 77 msg->rrset_last = prev; 78 msg->rrset_count --; 79 switch((*rrset)->section) { 80 case LDNS_SECTION_ANSWER: msg->an_rrsets--; break; 81 case LDNS_SECTION_AUTHORITY: msg->ns_rrsets--; break; 82 case LDNS_SECTION_ADDITIONAL: msg->ar_rrsets--; break; 83 default: log_assert(0); 84 } 85 msgparse_bucket_remove(msg, *rrset); 86 *rrset = (*rrset)->rrset_all_next; 87 } 88 89 /** return true if rr type has additional names in it */ 90 static int 91 has_additional(uint16_t t) 92 { 93 switch(t) { 94 case LDNS_RR_TYPE_MB: 95 case LDNS_RR_TYPE_MD: 96 case LDNS_RR_TYPE_MF: 97 case LDNS_RR_TYPE_NS: 98 case LDNS_RR_TYPE_MX: 99 case LDNS_RR_TYPE_KX: 100 case LDNS_RR_TYPE_SRV: 101 return 1; 102 case LDNS_RR_TYPE_NAPTR: 103 /* TODO: NAPTR not supported, glue stripped off */ 104 return 0; 105 } 106 return 0; 107 } 108 109 /** get additional name from rrset RR, return false if no name present */ 110 static int 111 get_additional_name(struct rrset_parse* rrset, struct rr_parse* rr, 112 uint8_t** nm, size_t* nmlen, sldns_buffer* pkt) 113 { 114 size_t offset = 0; 115 size_t len, oldpos; 116 switch(rrset->type) { 117 case LDNS_RR_TYPE_MB: 118 case LDNS_RR_TYPE_MD: 119 case LDNS_RR_TYPE_MF: 120 case LDNS_RR_TYPE_NS: 121 offset = 0; 122 break; 123 case LDNS_RR_TYPE_MX: 124 case LDNS_RR_TYPE_KX: 125 offset = 2; 126 break; 127 case LDNS_RR_TYPE_SRV: 128 offset = 6; 129 break; 130 case LDNS_RR_TYPE_NAPTR: 131 /* TODO: NAPTR not supported, glue stripped off */ 132 return 0; 133 default: 134 return 0; 135 } 136 len = sldns_read_uint16(rr->ttl_data+sizeof(uint32_t)); 137 if(len < offset+1) 138 return 0; /* rdata field too small */ 139 *nm = rr->ttl_data+sizeof(uint32_t)+sizeof(uint16_t)+offset; 140 oldpos = sldns_buffer_position(pkt); 141 sldns_buffer_set_position(pkt, (size_t)(*nm - sldns_buffer_begin(pkt))); 142 *nmlen = pkt_dname_len(pkt); 143 sldns_buffer_set_position(pkt, oldpos); 144 if(*nmlen == 0) 145 return 0; 146 return 1; 147 } 148 149 /** Place mark on rrsets in additional section they are OK */ 150 static void 151 mark_additional_rrset(sldns_buffer* pkt, struct msg_parse* msg, 152 struct rrset_parse* rrset) 153 { 154 /* Mark A and AAAA for NS as appropriate additional section info. */ 155 uint8_t* nm = NULL; 156 size_t nmlen = 0; 157 struct rr_parse* rr; 158 159 if(!has_additional(rrset->type)) 160 return; 161 for(rr = rrset->rr_first; rr; rr = rr->next) { 162 if(get_additional_name(rrset, rr, &nm, &nmlen, pkt)) { 163 /* mark A */ 164 hashvalue_type h = pkt_hash_rrset(pkt, nm, 165 LDNS_RR_TYPE_A, rrset->rrset_class, 0); 166 struct rrset_parse* r = msgparse_hashtable_lookup( 167 msg, pkt, h, 0, nm, nmlen, 168 LDNS_RR_TYPE_A, rrset->rrset_class); 169 if(r && r->section == LDNS_SECTION_ADDITIONAL) { 170 r->flags |= RRSET_SCRUB_OK; 171 } 172 173 /* mark AAAA */ 174 h = pkt_hash_rrset(pkt, nm, LDNS_RR_TYPE_AAAA, 175 rrset->rrset_class, 0); 176 r = msgparse_hashtable_lookup(msg, pkt, h, 0, nm, 177 nmlen, LDNS_RR_TYPE_AAAA, rrset->rrset_class); 178 if(r && r->section == LDNS_SECTION_ADDITIONAL) { 179 r->flags |= RRSET_SCRUB_OK; 180 } 181 } 182 } 183 } 184 185 /** Get target name of a CNAME */ 186 static int 187 parse_get_cname_target(struct rrset_parse* rrset, uint8_t** sname, 188 size_t* snamelen, sldns_buffer* pkt) 189 { 190 size_t oldpos, dlen; 191 if(rrset->rr_count != 1) { 192 struct rr_parse* sig; 193 verbose(VERB_ALGO, "Found CNAME rrset with " 194 "size > 1: %u", (unsigned)rrset->rr_count); 195 /* use the first CNAME! */ 196 rrset->rr_count = 1; 197 rrset->size = rrset->rr_first->size; 198 for(sig=rrset->rrsig_first; sig; sig=sig->next) 199 rrset->size += sig->size; 200 rrset->rr_last = rrset->rr_first; 201 rrset->rr_first->next = NULL; 202 } 203 if(rrset->rr_first->size < sizeof(uint16_t)+1) 204 return 0; /* CNAME rdata too small */ 205 *sname = rrset->rr_first->ttl_data + sizeof(uint32_t) 206 + sizeof(uint16_t); /* skip ttl, rdatalen */ 207 *snamelen = rrset->rr_first->size - sizeof(uint16_t); 208 209 if(rrset->rr_first->outside_packet) { 210 if(!dname_valid(*sname, *snamelen)) 211 return 0; 212 return 1; 213 } 214 oldpos = sldns_buffer_position(pkt); 215 sldns_buffer_set_position(pkt, (size_t)(*sname - sldns_buffer_begin(pkt))); 216 dlen = pkt_dname_len(pkt); 217 sldns_buffer_set_position(pkt, oldpos); 218 if(dlen == 0) 219 return 0; /* parse fail on the rdata name */ 220 *snamelen = dlen; 221 return 1; 222 } 223 224 /** Synthesize CNAME from DNAME, false if too long */ 225 static int 226 synth_cname(uint8_t* qname, size_t qnamelen, struct rrset_parse* dname_rrset, 227 uint8_t* alias, size_t* aliaslen, sldns_buffer* pkt) 228 { 229 /* we already know that sname is a strict subdomain of DNAME owner */ 230 uint8_t* dtarg = NULL; 231 size_t dtarglen; 232 if(!parse_get_cname_target(dname_rrset, &dtarg, &dtarglen, pkt)) 233 return 0; 234 if(qnamelen <= dname_rrset->dname_len) 235 return 0; 236 if(qnamelen == 0) 237 return 0; 238 log_assert(qnamelen > dname_rrset->dname_len); 239 /* DNAME from com. to net. with qname example.com. -> example.net. */ 240 /* so: \3com\0 to \3net\0 and qname \7example\3com\0 */ 241 *aliaslen = qnamelen + dtarglen - dname_rrset->dname_len; 242 if(*aliaslen > LDNS_MAX_DOMAINLEN) 243 return 0; /* should have been RCODE YXDOMAIN */ 244 /* decompress dnames into buffer, we know it fits */ 245 dname_pkt_copy(pkt, alias, qname); 246 dname_pkt_copy(pkt, alias+(qnamelen-dname_rrset->dname_len), dtarg); 247 return 1; 248 } 249 250 /** synthesize a CNAME rrset */ 251 static struct rrset_parse* 252 synth_cname_rrset(uint8_t** sname, size_t* snamelen, uint8_t* alias, 253 size_t aliaslen, struct regional* region, struct msg_parse* msg, 254 struct rrset_parse* rrset, struct rrset_parse* prev, 255 struct rrset_parse* nx, sldns_buffer* pkt) 256 { 257 struct rrset_parse* cn = (struct rrset_parse*)regional_alloc(region, 258 sizeof(struct rrset_parse)); 259 if(!cn) 260 return NULL; 261 memset(cn, 0, sizeof(*cn)); 262 cn->rr_first = (struct rr_parse*)regional_alloc(region, 263 sizeof(struct rr_parse)); 264 if(!cn->rr_first) 265 return NULL; 266 cn->rr_last = cn->rr_first; 267 /* CNAME from sname to alias */ 268 cn->dname = (uint8_t*)regional_alloc(region, *snamelen); 269 if(!cn->dname) 270 return NULL; 271 dname_pkt_copy(pkt, cn->dname, *sname); 272 cn->dname_len = *snamelen; 273 cn->type = LDNS_RR_TYPE_CNAME; 274 cn->section = rrset->section; 275 cn->rrset_class = rrset->rrset_class; 276 cn->rr_count = 1; 277 cn->size = sizeof(uint16_t) + aliaslen; 278 cn->hash=pkt_hash_rrset(pkt, cn->dname, cn->type, cn->rrset_class, 0); 279 /* allocate TTL + rdatalen + uncompressed dname */ 280 memset(cn->rr_first, 0, sizeof(struct rr_parse)); 281 cn->rr_first->outside_packet = 1; 282 cn->rr_first->ttl_data = (uint8_t*)regional_alloc(region, 283 sizeof(uint32_t)+sizeof(uint16_t)+aliaslen); 284 if(!cn->rr_first->ttl_data) 285 return NULL; 286 memmove(cn->rr_first->ttl_data, rrset->rr_first->ttl_data, 287 sizeof(uint32_t)); /* RFC6672: synth CNAME TTL == DNAME TTL */ 288 /* Apply cache TTL policy so DNAME and synthesized CNAME stay equal 289 * and respect cache-min-ttl/cache-max-ttl (same as rdata_copy path). */ 290 if(!SERVE_ORIGINAL_TTL) { 291 uint32_t ttl = sldns_read_uint32(cn->rr_first->ttl_data); 292 time_t ttl_t = (time_t)ttl; 293 if(ttl_t < MIN_TTL) ttl_t = MIN_TTL; 294 if(ttl_t > MAX_TTL) ttl_t = MAX_TTL; 295 ttl = (uint32_t)ttl_t; 296 sldns_write_uint32(cn->rr_first->ttl_data, ttl); 297 sldns_write_uint32(rrset->rr_first->ttl_data, ttl); 298 } 299 sldns_write_uint16(cn->rr_first->ttl_data+4, aliaslen); 300 memmove(cn->rr_first->ttl_data+6, alias, aliaslen); 301 cn->rr_first->size = sizeof(uint16_t)+aliaslen; 302 303 /* link it in */ 304 cn->rrset_all_next = nx; 305 if(prev) 306 prev->rrset_all_next = cn; 307 else msg->rrset_first = cn; 308 if(nx == NULL) 309 msg->rrset_last = cn; 310 msg->rrset_count ++; 311 msg->an_rrsets++; 312 /* it is not inserted in the msg hashtable. */ 313 314 *sname = cn->rr_first->ttl_data + sizeof(uint32_t)+sizeof(uint16_t); 315 *snamelen = aliaslen; 316 return cn; 317 } 318 319 /** check if DNAME applies to a name */ 320 static int 321 pkt_strict_sub(sldns_buffer* pkt, uint8_t* sname, uint8_t* dr) 322 { 323 uint8_t buf1[LDNS_MAX_DOMAINLEN+1]; 324 uint8_t buf2[LDNS_MAX_DOMAINLEN+1]; 325 /* decompress names */ 326 dname_pkt_copy(pkt, buf1, sname); 327 dname_pkt_copy(pkt, buf2, dr); 328 return dname_strict_subdomain_c(buf1, buf2); 329 } 330 331 /** check subdomain with decompression */ 332 static int 333 pkt_sub(sldns_buffer* pkt, uint8_t* comprname, uint8_t* zone) 334 { 335 uint8_t buf[LDNS_MAX_DOMAINLEN+1]; 336 dname_pkt_copy(pkt, buf, comprname); 337 return dname_subdomain_c(buf, zone); 338 } 339 340 /** check subdomain with decompression, compressed is parent */ 341 static int 342 sub_of_pkt(sldns_buffer* pkt, uint8_t* zone, uint8_t* comprname) 343 { 344 uint8_t buf[LDNS_MAX_DOMAINLEN+1]; 345 dname_pkt_copy(pkt, buf, comprname); 346 return dname_subdomain_c(zone, buf); 347 } 348 349 /** Check if there are SOA records in the authority section (negative) */ 350 static int 351 soa_in_auth(struct msg_parse* msg) 352 { 353 struct rrset_parse* rrset; 354 for(rrset = msg->rrset_first; rrset; rrset = rrset->rrset_all_next) 355 if(rrset->type == LDNS_RR_TYPE_SOA && 356 rrset->section == LDNS_SECTION_AUTHORITY) 357 return 1; 358 return 0; 359 } 360 361 /** Check if type is allowed in the authority section */ 362 static int 363 type_allowed_in_authority_section(uint16_t tp) 364 { 365 if(tp == LDNS_RR_TYPE_SOA || tp == LDNS_RR_TYPE_NS || 366 tp == LDNS_RR_TYPE_DS || tp == LDNS_RR_TYPE_NSEC || 367 tp == LDNS_RR_TYPE_NSEC3) 368 return 1; 369 return 0; 370 } 371 372 /** Check if type is allowed in the additional section */ 373 static int 374 type_allowed_in_additional_section(uint16_t tp) 375 { 376 if(tp == LDNS_RR_TYPE_A || tp == LDNS_RR_TYPE_AAAA) 377 return 1; 378 return 0; 379 } 380 381 /** Shorten RRset */ 382 static void 383 shorten_rrset(sldns_buffer* pkt, struct rrset_parse* rrset, int count) 384 { 385 /* The too large NS RRset is shortened. This is so that too large 386 * content does not overwhelm the cache. It may make the rrset 387 * bogus if it was signed, and then the domain is not resolved any 388 * more, that is okay, the NS RRset was too large. During a referral 389 * it can be shortened and then the first part of the list could 390 * be used to resolve. The scrub continues to disallow glue for the 391 * removed nameserver RRs and removes that too. Because the glue 392 * is not marked as okay, since the RRs have been removed here. */ 393 int i; 394 struct rr_parse* rr = rrset->rr_first, *prev = NULL; 395 if(!rr) 396 return; 397 for(i=0; i<count; i++) { 398 prev = rr; 399 rr = rr->next; 400 if(!rr) 401 return; /* The RRset is already short. */ 402 } 403 if(verbosity >= VERB_QUERY 404 && rrset->dname_len <= LDNS_MAX_DOMAINLEN) { 405 uint8_t buf[LDNS_MAX_DOMAINLEN+1]; 406 dname_pkt_copy(pkt, buf, rrset->dname); 407 log_nametypeclass(VERB_QUERY, "normalize: shorten RRset:", buf, 408 rrset->type, ntohs(rrset->rrset_class)); 409 } 410 /* remove further rrs */ 411 rrset->rr_last = prev; 412 rrset->rr_count = count; 413 while(rr) { 414 rrset->size -= rr->size; 415 rr = rr->next; 416 } 417 if(rrset->rr_last) 418 rrset->rr_last->next = NULL; 419 else rrset->rr_first = NULL; 420 } 421 422 /** Shorten RRSIGs list */ 423 static void 424 shorten_rrsig(sldns_buffer* pkt, struct rrset_parse* rrset, int count) 425 { 426 /* The too large list of RRSIGs on the RRset is shortened. 427 * This is so that too large content does not overwhelm the cache. 428 * The validator does not validate more than a max number of 429 * RRSIGs as well. */ 430 int i; 431 struct rr_parse* rr = rrset->rrsig_first, *prev = NULL; 432 if(!rr) 433 return; 434 for(i=0; i<count; i++) { 435 prev = rr; 436 rr = rr->next; 437 if(!rr) 438 return; /* The RRSIG list is already short. */ 439 } 440 if(verbosity >= VERB_QUERY 441 && rrset->dname_len <= LDNS_MAX_DOMAINLEN) { 442 uint8_t buf[LDNS_MAX_DOMAINLEN+1]; 443 dname_pkt_copy(pkt, buf, rrset->dname); 444 log_nametypeclass(VERB_QUERY, "normalize: shorten RRSIGs:", 445 buf, rrset->type, ntohs(rrset->rrset_class)); 446 } 447 /* remove further rrsigs */ 448 rrset->rrsig_last = prev; 449 rrset->rrsig_count = count; 450 while(rr) { 451 rrset->size -= rr->size; 452 rr = rr->next; 453 } 454 if(rrset->rrsig_last) 455 rrset->rrsig_last->next = NULL; 456 else rrset->rrsig_first = NULL; 457 } 458 459 /** 460 * This routine normalizes a response. This includes removing "irrelevant" 461 * records from the answer and additional sections and (re)synthesizing 462 * CNAMEs from DNAMEs, if present. 463 * 464 * @param pkt: packet. 465 * @param msg: msg to normalize. 466 * @param qinfo: original query. 467 * @param region: where to allocate synthesized CNAMEs. 468 * @param env: module env with config options. 469 * @param zonename: name of server zone. 470 * @return 0 on error. 471 */ 472 static int 473 scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg, 474 struct query_info* qinfo, struct regional* region, 475 struct module_env* env, uint8_t* zonename) 476 { 477 uint8_t* sname = qinfo->qname; 478 size_t snamelen = qinfo->qname_len; 479 struct rrset_parse* rrset, *prev, *nsset=NULL; 480 int cname_length = 0; /* number of CNAMEs, or DNAMEs */ 481 482 if(FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_NOERROR && 483 FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_NXDOMAIN && 484 FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_YXDOMAIN) 485 return 1; 486 487 /* For the ANSWER section, remove all "irrelevant" records and add 488 * synthesized CNAMEs from DNAMEs 489 * This will strip out-of-order CNAMEs as well. */ 490 491 /* walk through the parse packet rrset list, keep track of previous 492 * for insert and delete ease, and examine every RRset */ 493 prev = NULL; 494 rrset = msg->rrset_first; 495 while(rrset && rrset->section == LDNS_SECTION_ANSWER) { 496 if((int)rrset->rrsig_count > env->cfg->iter_scrub_rrsig) 497 shorten_rrsig(pkt, rrset, env->cfg->iter_scrub_rrsig); 498 if(cname_length > env->cfg->iter_scrub_cname) { 499 /* Too many CNAMEs, or DNAMEs, from the authority 500 * server, scrub down the length to something 501 * shorter. This deletes everything after the limit 502 * is reached. The iterator is going to look up 503 * the content one by one anyway. */ 504 remove_rrset("normalize: removing because too many cnames:", 505 pkt, msg, prev, &rrset); 506 continue; 507 } 508 if(rrset->type == LDNS_RR_TYPE_DNAME && 509 pkt_strict_sub(pkt, sname, rrset->dname) && 510 pkt_sub(pkt, rrset->dname, zonename)) { 511 /* check if next rrset is correct CNAME. else, 512 * synthesize a CNAME */ 513 struct rrset_parse* nx = rrset->rrset_all_next; 514 uint8_t alias[LDNS_MAX_DOMAINLEN+1]; 515 size_t aliaslen = 0; 516 if(rrset->rr_count != 1) { 517 verbose(VERB_ALGO, "Found DNAME rrset with " 518 "size > 1: %u", 519 (unsigned)rrset->rr_count); 520 return 0; 521 } 522 if(!synth_cname(sname, snamelen, rrset, alias, 523 &aliaslen, pkt)) { 524 verbose(VERB_ALGO, "synthesized CNAME " 525 "too long"); 526 if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_YXDOMAIN) { 527 prev = rrset; 528 rrset = rrset->rrset_all_next; 529 continue; 530 } 531 return 0; 532 } 533 cname_length++; 534 if(nx && nx->type == LDNS_RR_TYPE_CNAME && 535 dname_pkt_compare(pkt, sname, nx->dname) == 0) { 536 /* check next cname */ 537 uint8_t* t = NULL; 538 size_t tlen = 0; 539 if(!parse_get_cname_target(nx, &t, &tlen, pkt)) 540 return 0; 541 if(dname_pkt_compare(pkt, alias, t) == 0) { 542 /* it's OK and better capitalized */ 543 prev = rrset; 544 rrset = nx; 545 continue; 546 } 547 /* synth ourselves */ 548 } 549 /* synth a CNAME rrset */ 550 prev = synth_cname_rrset(&sname, &snamelen, alias, 551 aliaslen, region, msg, rrset, rrset, nx, pkt); 552 if(!prev) { 553 log_err("out of memory synthesizing CNAME"); 554 return 0; 555 } 556 rrset = nx; 557 continue; 558 559 } 560 561 /* The only records in the ANSWER section not allowed to */ 562 if(dname_pkt_compare(pkt, sname, rrset->dname) != 0) { 563 remove_rrset("normalize: removing irrelevant RRset:", 564 pkt, msg, prev, &rrset); 565 continue; 566 } 567 568 /* Follow the CNAME chain. */ 569 if(rrset->type == LDNS_RR_TYPE_CNAME) { 570 struct rrset_parse* nx = rrset->rrset_all_next; 571 uint8_t* oldsname = sname; 572 cname_length++; 573 /* see if the next one is a DNAME, if so, swap them */ 574 if(nx && nx->section == LDNS_SECTION_ANSWER && 575 nx->type == LDNS_RR_TYPE_DNAME && 576 nx->rr_count == 1 && 577 pkt_strict_sub(pkt, sname, nx->dname) && 578 pkt_sub(pkt, nx->dname, zonename)) { 579 /* there is a DNAME after this CNAME, it 580 * is in the ANSWER section, and the DNAME 581 * applies to the name we cover */ 582 /* check if the alias of the DNAME equals 583 * this CNAME */ 584 uint8_t alias[LDNS_MAX_DOMAINLEN+1]; 585 size_t aliaslen = 0; 586 uint8_t* t = NULL; 587 size_t tlen = 0; 588 if(synth_cname(sname, snamelen, nx, alias, 589 &aliaslen, pkt) && 590 parse_get_cname_target(rrset, &t, &tlen, pkt) && 591 dname_pkt_compare(pkt, alias, t) == 0) { 592 /* the synthesized CNAME equals the 593 * current CNAME. This CNAME is the 594 * one that the DNAME creates, and this 595 * CNAME is better capitalised */ 596 verbose(VERB_ALGO, "normalize: re-order of DNAME and its CNAME"); 597 if(prev) prev->rrset_all_next = nx; 598 else msg->rrset_first = nx; 599 if(nx->rrset_all_next == NULL) 600 msg->rrset_last = rrset; 601 rrset->rrset_all_next = 602 nx->rrset_all_next; 603 nx->rrset_all_next = rrset; 604 /* prev = nx; unused, enable if there 605 * is other rrset removal code after 606 * this */ 607 } 608 } 609 610 /* move to next name in CNAME chain */ 611 if(!parse_get_cname_target(rrset, &sname, &snamelen, pkt)) 612 return 0; 613 prev = rrset; 614 rrset = rrset->rrset_all_next; 615 /* in CNAME ANY response, can have data after CNAME */ 616 if(qinfo->qtype == LDNS_RR_TYPE_ANY) { 617 while(rrset && rrset->section == 618 LDNS_SECTION_ANSWER && 619 dname_pkt_compare(pkt, oldsname, 620 rrset->dname) == 0) { 621 if(rrset->type == LDNS_RR_TYPE_NS && 622 rrset->rr_count > env->cfg->iter_scrub_ns) { 623 shorten_rrset(pkt, rrset, env->cfg->iter_scrub_ns); 624 } 625 prev = rrset; 626 rrset = rrset->rrset_all_next; 627 } 628 } 629 continue; 630 } 631 632 /* Otherwise, make sure that the RRset matches the qtype. */ 633 if(qinfo->qtype != LDNS_RR_TYPE_ANY && 634 qinfo->qtype != rrset->type) { 635 remove_rrset("normalize: removing irrelevant RRset:", 636 pkt, msg, prev, &rrset); 637 continue; 638 } 639 640 if(rrset->type == LDNS_RR_TYPE_NS && 641 rrset->rr_count > env->cfg->iter_scrub_ns) { 642 shorten_rrset(pkt, rrset, env->cfg->iter_scrub_ns); 643 } 644 645 /* Mark the additional names from relevant rrset as OK. */ 646 /* only for RRsets that match the query name, other ones 647 * will be removed by sanitize, so no additional for them */ 648 if(dname_pkt_compare(pkt, qinfo->qname, rrset->dname) == 0) 649 mark_additional_rrset(pkt, msg, rrset); 650 651 prev = rrset; 652 rrset = rrset->rrset_all_next; 653 } 654 655 /* Mark additional names from AUTHORITY */ 656 while(rrset && rrset->section == LDNS_SECTION_AUTHORITY) { 657 /* protect internals of recursor by making sure to del these */ 658 if(rrset->type==LDNS_RR_TYPE_DNAME || 659 rrset->type==LDNS_RR_TYPE_CNAME || 660 rrset->type==LDNS_RR_TYPE_A || 661 rrset->type==LDNS_RR_TYPE_AAAA) { 662 remove_rrset("normalize: removing irrelevant " 663 "RRset:", pkt, msg, prev, &rrset); 664 continue; 665 } 666 /* Allowed list of types in the authority section */ 667 if(env->cfg->harden_unknown_additional && 668 !type_allowed_in_authority_section(rrset->type)) { 669 remove_rrset("normalize: removing irrelevant " 670 "RRset:", pkt, msg, prev, &rrset); 671 continue; 672 } 673 if((int)rrset->rrsig_count > env->cfg->iter_scrub_rrsig) 674 shorten_rrsig(pkt, rrset, env->cfg->iter_scrub_rrsig); 675 /* only one NS set allowed in authority section */ 676 if(rrset->type==LDNS_RR_TYPE_NS) { 677 /* NS set must be pertinent to the query */ 678 if(!sub_of_pkt(pkt, qinfo->qname, rrset->dname)) { 679 remove_rrset("normalize: removing irrelevant " 680 "RRset:", pkt, msg, prev, &rrset); 681 continue; 682 } 683 /* we don't want NS sets for NXDOMAIN answers, 684 * because they could contain poisonous contents, 685 * from. eg. fragmentation attacks, inserted after 686 * long RRSIGs in the packet get to the packet 687 * border and such */ 688 /* also for NODATA answers */ 689 if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NXDOMAIN || 690 (FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR 691 && soa_in_auth(msg) && msg->an_rrsets == 0)) { 692 remove_rrset("normalize: removing irrelevant " 693 "RRset:", pkt, msg, prev, &rrset); 694 continue; 695 } 696 /* If the NS set is a promiscuous NS set, scrub that 697 * to remove potential for poisonous contents that 698 * affects other names in the same zone. Remove 699 * promiscuous NS sets in positive answers, that 700 * thus have records in the answer section. Nodata 701 * and nxdomain promiscuous NS sets have been removed 702 * already. Since the NS rrset is scrubbed, its 703 * address records are also not marked to be allowed 704 * and are removed later. */ 705 if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR && 706 msg->an_rrsets != 0 && 707 env->cfg->iter_scrub_promiscuous) { 708 remove_rrset("normalize: removing promiscuous " 709 "RRset:", pkt, msg, prev, &rrset); 710 continue; 711 } 712 /* Also delete promiscuous NS for other RCODEs */ 713 if(FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_NOERROR 714 && env->cfg->iter_scrub_promiscuous) { 715 remove_rrset("normalize: removing promiscuous " 716 "RRset:", pkt, msg, prev, &rrset); 717 continue; 718 } 719 /* Also delete promiscuous NS for NOERROR with nodata 720 * for authoritative answers, not for delegations. 721 * NOERROR with an_rrsets!=0 already handled. 722 * Also NOERROR and soa_in_auth already handled. 723 * NOERROR with an_rrsets==0, and not a referral. 724 * referral is (NS not the zonename, noSOA). 725 */ 726 if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR 727 && msg->an_rrsets == 0 728 && !(dname_pkt_compare(pkt, rrset->dname, 729 zonename) != 0 && !soa_in_auth(msg)) 730 && env->cfg->iter_scrub_promiscuous) { 731 remove_rrset("normalize: removing promiscuous " 732 "RRset:", pkt, msg, prev, &rrset); 733 continue; 734 } 735 if(nsset == NULL) { 736 nsset = rrset; 737 } else { 738 remove_rrset("normalize: removing irrelevant " 739 "RRset:", pkt, msg, prev, &rrset); 740 continue; 741 } 742 if(rrset->rr_count > env->cfg->iter_scrub_ns) { 743 /* If this is not a referral, and the NS RRset 744 * is signed, then remove it entirely, so 745 * that when it becomes bogus it does not 746 * make the message that is otherwise fine 747 * into a bogus message. */ 748 if(!(msg->an_rrsets == 0 && 749 FLAGS_GET_RCODE(msg->flags) == 750 LDNS_RCODE_NOERROR && 751 !soa_in_auth(msg) && 752 !(msg->flags & BIT_AA)) && 753 rrset->rrsig_count != 0) { 754 remove_rrset("normalize: removing too large NS " 755 "RRset:", pkt, msg, prev, &rrset); 756 continue; 757 } else { 758 shorten_rrset(pkt, rrset, env->cfg->iter_scrub_ns); 759 } 760 } 761 } 762 /* if this is type DS and we query for type DS we just got 763 * a referral answer for our type DS query, fix packet */ 764 if(rrset->type==LDNS_RR_TYPE_DS && 765 qinfo->qtype == LDNS_RR_TYPE_DS && 766 dname_pkt_compare(pkt, qinfo->qname, rrset->dname) == 0) { 767 rrset->section = LDNS_SECTION_ANSWER; 768 msg->ancount = rrset->rr_count + rrset->rrsig_count; 769 msg->nscount = 0; 770 msg->arcount = 0; 771 msg->an_rrsets = 1; 772 msg->ns_rrsets = 0; 773 msg->ar_rrsets = 0; 774 msg->rrset_count = 1; 775 msg->rrset_first = rrset; 776 msg->rrset_last = rrset; 777 rrset->rrset_all_next = NULL; 778 return 1; 779 } 780 /* Only mark glue as allowed for type NS in the authority 781 * section. Other RR types do not get glue for them, it 782 * is allowed from the answer section, but not authority 783 * so that a message can not have address records cached 784 * as a side effect to the query. */ 785 if(rrset->type==LDNS_RR_TYPE_NS) 786 mark_additional_rrset(pkt, msg, rrset); 787 prev = rrset; 788 rrset = rrset->rrset_all_next; 789 } 790 791 /* For each record in the additional section, remove it if it is an 792 * address record and not in the collection of additional names 793 * found in ANSWER and AUTHORITY. */ 794 /* These records have not been marked OK previously */ 795 while(rrset && rrset->section == LDNS_SECTION_ADDITIONAL) { 796 if(rrset->type==LDNS_RR_TYPE_A || 797 rrset->type==LDNS_RR_TYPE_AAAA) 798 { 799 if((rrset->flags & RRSET_SCRUB_OK)) { 800 /* remove flag to clean up flags variable */ 801 rrset->flags &= ~RRSET_SCRUB_OK; 802 } else { 803 remove_rrset("normalize: removing irrelevant " 804 "RRset:", pkt, msg, prev, &rrset); 805 continue; 806 } 807 } 808 /* protect internals of recursor by making sure to del these */ 809 if(rrset->type==LDNS_RR_TYPE_DNAME || 810 rrset->type==LDNS_RR_TYPE_CNAME || 811 rrset->type==LDNS_RR_TYPE_NS) { 812 remove_rrset("normalize: removing irrelevant " 813 "RRset:", pkt, msg, prev, &rrset); 814 continue; 815 } 816 /* Allowed list of types in the additional section */ 817 if(env->cfg->harden_unknown_additional && 818 !type_allowed_in_additional_section(rrset->type)) { 819 remove_rrset("normalize: removing irrelevant " 820 "RRset:", pkt, msg, prev, &rrset); 821 continue; 822 } 823 if((int)rrset->rrsig_count > env->cfg->iter_scrub_rrsig) 824 shorten_rrsig(pkt, rrset, env->cfg->iter_scrub_rrsig); 825 prev = rrset; 826 rrset = rrset->rrset_all_next; 827 } 828 829 return 1; 830 } 831 832 /** 833 * Store potential poison in the cache (only if hardening disabled). 834 * The rrset is stored in the cache but removed from the message. 835 * So that it will be used for infrastructure purposes, but not be 836 * returned to the client. 837 * @param pkt: packet 838 * @param msg: message parsed 839 * @param env: environment with cache 840 * @param rrset: to store. 841 */ 842 static void 843 store_rrset(sldns_buffer* pkt, struct msg_parse* msg, struct module_env* env, 844 struct rrset_parse* rrset) 845 { 846 struct ub_packed_rrset_key* k; 847 struct packed_rrset_data* d; 848 struct rrset_ref ref; 849 time_t now = *env->now; 850 851 k = alloc_special_obtain(env->alloc); 852 if(!k) 853 return; 854 k->entry.data = NULL; 855 if(!parse_copy_decompress_rrset(pkt, msg, rrset, NULL, k)) { 856 alloc_special_release(env->alloc, k); 857 return; 858 } 859 d = (struct packed_rrset_data*)k->entry.data; 860 packed_rrset_ttl_add(d, now); 861 ref.key = k; 862 ref.id = k->id; 863 /*ignore ret: it was in the cache, ref updated */ 864 (void)rrset_cache_update(env->rrset_cache, &ref, env->alloc, now); 865 } 866 867 /** 868 * Check if right hand name in NSEC is within zone 869 * @param pkt: the packet buffer for decompression. 870 * @param rrset: the NSEC rrset 871 * @param zonename: the zone name. 872 * @return true if BAD. 873 */ 874 static int sanitize_nsec_is_overreach(sldns_buffer* pkt, 875 struct rrset_parse* rrset, uint8_t* zonename) 876 { 877 struct rr_parse* rr; 878 uint8_t* rhs; 879 size_t len; 880 log_assert(rrset->type == LDNS_RR_TYPE_NSEC); 881 for(rr = rrset->rr_first; rr; rr = rr->next) { 882 size_t pos = sldns_buffer_position(pkt); 883 size_t rhspos; 884 rhs = rr->ttl_data+4+2; 885 len = sldns_read_uint16(rr->ttl_data+4); 886 rhspos = rhs-sldns_buffer_begin(pkt); 887 sldns_buffer_set_position(pkt, rhspos); 888 if(pkt_dname_len(pkt) == 0) { 889 /* malformed */ 890 sldns_buffer_set_position(pkt, pos); 891 return 1; 892 } 893 if(sldns_buffer_position(pkt)-rhspos > len) { 894 /* outside of rdata boundaries */ 895 sldns_buffer_set_position(pkt, pos); 896 return 1; 897 } 898 sldns_buffer_set_position(pkt, pos); 899 if(!pkt_sub(pkt, rhs, zonename)) { 900 /* overreaching */ 901 return 1; 902 } 903 } 904 /* all NSEC RRs OK */ 905 return 0; 906 } 907 908 /** Remove individual RRs, if the length is wrong. Returns true if the RRset 909 * has been removed. */ 910 static int 911 scrub_sanitize_rr_length(sldns_buffer* pkt, struct msg_parse* msg, 912 struct rrset_parse* prev, struct rrset_parse** rrset, int* added_ede, 913 struct module_qstate* qstate) 914 { 915 struct rr_parse* rr, *rr_prev = NULL; 916 for(rr = (*rrset)->rr_first; rr; rr = rr->next) { 917 918 /* Sanity check for length of records 919 * An A record should be 6 bytes only 920 * (2 bytes for length and 4 for IPv4 addr)*/ 921 if((*rrset)->type == LDNS_RR_TYPE_A && rr->size != 6 ) { 922 if(!*added_ede) { 923 *added_ede = 1; 924 errinf_ede(qstate, "sanitize: records of inappropriate length have been removed.", 925 LDNS_EDE_OTHER); 926 } 927 if(msgparse_rrset_remove_rr("sanitize: removing type A RR of inappropriate length:", 928 pkt, *rrset, rr_prev, rr, NULL, 0)) { 929 remove_rrset("sanitize: removing type A RRset of inappropriate length:", 930 pkt, msg, prev, rrset); 931 return 1; 932 } 933 continue; 934 } 935 936 /* Sanity check for length of records 937 * An AAAA record should be 18 bytes only 938 * (2 bytes for length and 16 for IPv6 addr)*/ 939 if((*rrset)->type == LDNS_RR_TYPE_AAAA && rr->size != 18 ) { 940 if(!*added_ede) { 941 *added_ede = 1; 942 errinf_ede(qstate, "sanitize: records of inappropriate length have been removed.", 943 LDNS_EDE_OTHER); 944 } 945 if(msgparse_rrset_remove_rr("sanitize: removing type AAAA RR of inappropriate length:", 946 pkt, *rrset, rr_prev, rr, NULL, 0)) { 947 remove_rrset("sanitize: removing type AAAA RRset of inappropriate length:", 948 pkt, msg, prev, rrset); 949 return 1; 950 } 951 continue; 952 } 953 rr_prev = rr; 954 } 955 return 0; 956 } 957 958 /** 959 * Given a response event, remove suspect RRsets from the response. 960 * "Suspect" rrsets are potentially poison. Note that this routine expects 961 * the response to be in a "normalized" state -- that is, all "irrelevant" 962 * RRsets have already been removed, CNAMEs are in order, etc. 963 * 964 * @param pkt: packet. 965 * @param msg: msg to normalize. 966 * @param qinfo: the question originally asked. 967 * @param zonename: name of server zone. 968 * @param env: module environment with config and cache. 969 * @param ie: iterator environment with private address data. 970 * @param qstate: for setting errinf for EDE error messages. 971 * @return 0 on error. 972 */ 973 static int 974 scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg, 975 struct query_info* qinfo, uint8_t* zonename, struct module_env* env, 976 struct iter_env* ie, struct module_qstate* qstate) 977 { 978 int del_addi = 0; /* if additional-holding rrsets are deleted, we 979 do not trust the normalized additional-A-AAAA any more */ 980 uint8_t* ns_rrset_dname = NULL; 981 int added_rrlen_ede = 0; 982 struct rrset_parse* rrset, *prev; 983 prev = NULL; 984 rrset = msg->rrset_first; 985 986 /* the first DNAME is allowed to stay. It needs checking before 987 * it can be used from the cache. After normalization, an initial 988 * DNAME will have a correctly synthesized CNAME after it. */ 989 if(rrset && rrset->type == LDNS_RR_TYPE_DNAME && 990 rrset->section == LDNS_SECTION_ANSWER && 991 pkt_strict_sub(pkt, qinfo->qname, rrset->dname) && 992 pkt_sub(pkt, rrset->dname, zonename)) { 993 prev = rrset; /* DNAME allowed to stay in answer section */ 994 rrset = rrset->rrset_all_next; 995 } 996 997 /* remove all records from the answer section that are 998 * not the same domain name as the query domain name. 999 * The answer section should contain rrsets with the same name 1000 * as the question. For DNAMEs a CNAME has been synthesized. 1001 * Wildcards have the query name in answer section. 1002 * ANY queries get query name in answer section. 1003 * Remainders of CNAME chains are cut off and resolved by iterator. */ 1004 while(rrset && rrset->section == LDNS_SECTION_ANSWER) { 1005 if(dname_pkt_compare(pkt, qinfo->qname, rrset->dname) != 0) { 1006 if(has_additional(rrset->type)) del_addi = 1; 1007 remove_rrset("sanitize: removing extraneous answer " 1008 "RRset:", pkt, msg, prev, &rrset); 1009 continue; 1010 } 1011 prev = rrset; 1012 rrset = rrset->rrset_all_next; 1013 } 1014 1015 /* At this point, we brutally remove ALL rrsets that aren't 1016 * children of the originating zone. The idea here is that, 1017 * as far as we know, the server that we contacted is ONLY 1018 * authoritative for the originating zone. It, of course, MAY 1019 * be authoritative for any other zones, and of course, MAY 1020 * NOT be authoritative for some subdomains of the originating 1021 * zone. */ 1022 prev = NULL; 1023 rrset = msg->rrset_first; 1024 while(rrset) { 1025 1026 /* Sanity check for length of records */ 1027 if(rrset->type == LDNS_RR_TYPE_A || 1028 rrset->type == LDNS_RR_TYPE_AAAA) { 1029 if(scrub_sanitize_rr_length(pkt, msg, prev, &rrset, 1030 &added_rrlen_ede, qstate)) 1031 continue; 1032 } 1033 1034 /* remove private addresses */ 1035 if(rrset->type == LDNS_RR_TYPE_A || 1036 rrset->type == LDNS_RR_TYPE_AAAA || 1037 rrset->type == LDNS_RR_TYPE_SVCB || 1038 rrset->type == LDNS_RR_TYPE_HTTPS) { 1039 1040 /* do not set servfail since this leads to too 1041 * many drops of other people using rfc1918 space */ 1042 /* also do not remove entire rrset, unless all records 1043 * in it are bad */ 1044 if(priv_rrset_bad(ie->priv, pkt, rrset)) { 1045 remove_rrset(NULL, pkt, msg, prev, &rrset); 1046 continue; 1047 } 1048 } 1049 1050 /* skip DNAME records -- they will always be followed by a 1051 * synthesized CNAME, which will be relevant. 1052 * FIXME: should this do something differently with DNAME 1053 * rrsets NOT in Section.ANSWER? */ 1054 /* But since DNAME records are also subdomains of the zone, 1055 * same check can be used */ 1056 1057 if(!pkt_sub(pkt, rrset->dname, zonename)) { 1058 if(msg->an_rrsets == 0 && 1059 rrset->type == LDNS_RR_TYPE_NS && 1060 rrset->section == LDNS_SECTION_AUTHORITY && 1061 FLAGS_GET_RCODE(msg->flags) == 1062 LDNS_RCODE_NOERROR && !soa_in_auth(msg) && 1063 sub_of_pkt(pkt, zonename, rrset->dname)) { 1064 /* noerror, nodata and this NS rrset is above 1065 * the zone. This is LAME! 1066 * Leave in the NS for lame classification. */ 1067 /* remove everything from the additional 1068 * (we dont want its glue that was approved 1069 * during the normalize action) */ 1070 del_addi = 1; 1071 } else if(!env->cfg->harden_glue && ( 1072 rrset->type == LDNS_RR_TYPE_A || 1073 rrset->type == LDNS_RR_TYPE_AAAA)) { 1074 /* store in cache! Since it is relevant 1075 * (from normalize) it will be picked up 1076 * from the cache to be used later */ 1077 store_rrset(pkt, msg, env, rrset); 1078 remove_rrset("sanitize: storing potential " 1079 "poison RRset:", pkt, msg, prev, &rrset); 1080 continue; 1081 } else { 1082 if(has_additional(rrset->type)) del_addi = 1; 1083 remove_rrset("sanitize: removing potential " 1084 "poison RRset:", pkt, msg, prev, &rrset); 1085 continue; 1086 } 1087 } 1088 if(rrset->type == LDNS_RR_TYPE_NS && 1089 (rrset->section == LDNS_SECTION_AUTHORITY || 1090 rrset->section == LDNS_SECTION_ANSWER)) { 1091 /* If the type is NS, and we're in the 1092 * answer or authority section, then 1093 * store the dname so we can check 1094 * against the glue records 1095 * further down */ 1096 ns_rrset_dname = rrset->dname; 1097 } 1098 if(del_addi && rrset->section == LDNS_SECTION_ADDITIONAL) { 1099 remove_rrset("sanitize: removing potential " 1100 "poison reference RRset:", pkt, msg, prev, &rrset); 1101 continue; 1102 } 1103 /* check if right hand side of NSEC is within zone */ 1104 if(rrset->type == LDNS_RR_TYPE_NSEC && 1105 sanitize_nsec_is_overreach(pkt, rrset, zonename)) { 1106 remove_rrset("sanitize: removing overreaching NSEC " 1107 "RRset:", pkt, msg, prev, &rrset); 1108 continue; 1109 } 1110 if(env->cfg->harden_unverified_glue && ns_rrset_dname && 1111 rrset->section == LDNS_SECTION_ADDITIONAL && 1112 (rrset->type == LDNS_RR_TYPE_A || rrset->type == LDNS_RR_TYPE_AAAA) && 1113 !pkt_strict_sub(pkt, rrset->dname, ns_rrset_dname)) { 1114 /* We're in the additional section, looking 1115 * at an A/AAAA rrset, have a previous 1116 * delegation point and we notice that 1117 * the glue records are NOT for strict 1118 * subdomains of the delegation. So set a 1119 * flag, recompute the hash for the rrset 1120 * and write the A/AAAA record to cache. 1121 * It'll be retrieved if we can't separately 1122 * resolve the glue */ 1123 rrset->flags = PACKED_RRSET_UNVERIFIED_GLUE; 1124 rrset->hash = pkt_hash_rrset(pkt, rrset->dname, rrset->type, rrset->rrset_class, rrset->flags); 1125 store_rrset(pkt, msg, env, rrset); 1126 remove_rrset("sanitize: storing potential " 1127 "unverified glue reference RRset:", pkt, msg, prev, &rrset); 1128 continue; 1129 } 1130 prev = rrset; 1131 rrset = rrset->rrset_all_next; 1132 } 1133 return 1; 1134 } 1135 1136 int 1137 scrub_message(sldns_buffer* pkt, struct msg_parse* msg, 1138 struct query_info* qinfo, uint8_t* zonename, struct regional* region, 1139 struct module_env* env, struct module_qstate* qstate, 1140 struct iter_env* ie) 1141 { 1142 /* basic sanity checks */ 1143 log_nametypeclass(VERB_ALGO, "scrub for", zonename, LDNS_RR_TYPE_NS, 1144 qinfo->qclass); 1145 if(msg->qdcount > 1) 1146 return 0; 1147 if( !(msg->flags&BIT_QR) ) 1148 return 0; 1149 msg->flags &= ~(BIT_AD|BIT_Z); /* force off bit AD and Z */ 1150 1151 /* make sure that a query is echoed back when NOERROR or NXDOMAIN */ 1152 /* this is not required for basic operation but is a forgery 1153 * resistance (security) feature */ 1154 if((FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR || 1155 FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NXDOMAIN || 1156 FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_YXDOMAIN) && 1157 msg->qdcount == 0) 1158 return 0; 1159 1160 /* if a query is echoed back, make sure it is correct. Otherwise, 1161 * this may be not a reply to our query. */ 1162 if(msg->qdcount == 1) { 1163 if(dname_pkt_compare(pkt, msg->qname, qinfo->qname) != 0) 1164 return 0; 1165 if(msg->qtype != qinfo->qtype || msg->qclass != qinfo->qclass) 1166 return 0; 1167 } 1168 1169 /* normalize the response, this cleans up the additional. */ 1170 if(!scrub_normalize(pkt, msg, qinfo, region, env, zonename)) 1171 return 0; 1172 /* delete all out-of-zone information */ 1173 if(!scrub_sanitize(pkt, msg, qinfo, zonename, env, ie, qstate)) 1174 return 0; 1175 return 1; 1176 } 1177
Indexes created Sun Jun 21 00:25:28 UTC 2026