Permalink
Browse files

limit the number of NSEC3 iterations RFC5155 10.3

  • Loading branch information...
1 parent 88c52fe commit 017a78b85900bb0130ad552b006c0f0f68df099d @mind04 mind04 committed with mind04 Jul 20, 2014
Showing with 17 additions and 1 deletion.
  1. +1 −0 pdns/common_startup.cc
  2. +10 −1 pdns/dbdnsseckeeper.cc
  3. +5 −0 pdns/pdns.conf-dist
  4. +1 −0 pdns/pdnssec.cc
@@ -144,6 +144,7 @@ void declareArguments()
::arg().set("default-ksk-size","Default KSK size (0 means default)")="0";
::arg().set("default-zsk-algorithms","Default ZSK algorithms")="rsasha256";
::arg().set("default-zsk-size","Default KSK size (0 means default)")="0";
+ ::arg().set("max-nsec3-iterations","Limit the number of NSEC3 hash iterations")="500"; // RFC5155 10.3
::arg().set("include-dir","Include *.conf files from this directory");
}
@@ -231,11 +231,16 @@ bool DNSSECKeeper::getNSEC3PARAM(const std::string& zname, NSEC3PARAMRecordConte
if(value.empty()) { // "no NSEC3"
return false;
}
-
+
+ static int maxNSEC3Iterations=::arg().asNum("max-nsec3-iterations");
if(ns3p) {
NSEC3PARAMRecordContent* tmp=dynamic_cast<NSEC3PARAMRecordContent*>(DNSRecordContent::mastermake(QType::NSEC3PARAM, 1, value));
*ns3p = *tmp;
delete tmp;
+ if (ns3p->d_iterations > maxNSEC3Iterations) {
+ ns3p->d_iterations = maxNSEC3Iterations;
+ L<<Logger::Error<<"Number of NSEC3 iterations for zone '"<<zname<<"' is above 'max-nsec3-iterations'. Value adjusted to: "<<maxNSEC3Iterations<<endl;
+ }
}
if(narrow) {
getFromMeta(zname, "NSEC3NARROW", value);
@@ -246,6 +251,10 @@ bool DNSSECKeeper::getNSEC3PARAM(const std::string& zname, NSEC3PARAMRecordConte
bool DNSSECKeeper::setNSEC3PARAM(const std::string& zname, const NSEC3PARAMRecordContent& ns3p, const bool& narrow)
{
+ static int maxNSEC3Iterations=::arg().asNum("max-nsec3-iterations");
+ if (ns3p.d_iterations > maxNSEC3Iterations)
+ throw runtime_error("Can't set NSEC3PARAM for zone '"+zname+"': number of NSEC3 iterations is above 'max-nsec3-iterations'");
+
clearCaches(zname);
string descr = ns3p.getZoneRepresentation();
vector<string> meta;
View
@@ -220,6 +220,11 @@
# max-ent-entries=100000
#################################
+# max-nsec3-iterations Limit the number of NSEC3 hash iterations
+#
+# max-nsec3-iterations=500
+
+#################################
# max-queue-length Maximum queuelength before considering situation lost
#
# max-queue-length=5000
View
@@ -132,6 +132,7 @@ void loadMainConfig(const std::string& configdir)
::arg().set("max-ent-entries", "Maximum number of empty non-terminals in a zone")="100000";
::arg().set("module-dir","Default directory for modules")=LIBDIR;
::arg().setSwitch("direct-dnskey","Fetch DNSKEY RRs from backend during DNSKEY synthesis")="no";
+ ::arg().set("max-nsec3-iterations","Limit the number of NSEC3 hash iterations")="500"; // RFC5155 10.3
::arg().laxFile(configname.c_str());
BackendMakers().launch(::arg()["launch"]); // vrooooom!

0 comments on commit 017a78b

Please sign in to comment.