limit the number of NSEC3 iterations RFC5155 10.3

Author: mind04

pdns/common_startup.cc

@@ -159,6 +159,7 @@ void declareArguments()
   ::arg().set("default-ksk-size","Default KSK size (0 means default)")="0";
   ::arg().set("default-zsk-algorithms","Default ZSK algorithms")="rsasha256";
   ::arg().set("default-zsk-size","Default ZSK size (0 means default)")="0";
+  ::arg().set("max-nsec3-iterations","Limit the number of NSEC3 hash iterations")="500"; // RFC5155 10.3
 
   ::arg().set("include-dir","Include *.conf files from this directory");
 }

pdns/dbdnsseckeeper.cc

@@ -233,11 +233,16 @@ bool DNSSECKeeper::getNSEC3PARAM(const std::string& zname, NSEC3PARAMRecordConte
   if(value.empty()) { // "no NSEC3"
     return false;
   }
-     
+
+  static int maxNSEC3Iterations=::arg().asNum("max-nsec3-iterations");
   if(ns3p) {
     NSEC3PARAMRecordContent* tmp=dynamic_cast<NSEC3PARAMRecordContent*>(DNSRecordContent::mastermake(QType::NSEC3PARAM, 1, value));
     *ns3p = *tmp;
     delete tmp;
+    if (ns3p->d_iterations > maxNSEC3Iterations) {
+      ns3p->d_iterations = maxNSEC3Iterations;
+      L<<Logger::Error<<"Number of NSEC3 iterations for zone '"<<zname<<"' is above 'max-nsec3-iterations'. Value adjusted to: "<<maxNSEC3Iterations<<endl;
+    }
   }
   if(narrow) {
     getFromMeta(zname, "NSEC3NARROW", value);
@@ -248,6 +253,10 @@ bool DNSSECKeeper::getNSEC3PARAM(const std::string& zname, NSEC3PARAMRecordConte
 
 bool DNSSECKeeper::setNSEC3PARAM(const std::string& zname, const NSEC3PARAMRecordContent& ns3p, const bool& narrow)
 {
+  static int maxNSEC3Iterations=::arg().asNum("max-nsec3-iterations");
+  if (ns3p.d_iterations > maxNSEC3Iterations)
+    throw runtime_error("Can't set NSEC3PARAM for zone '"+zname+"': number of NSEC3 iterations is above 'max-nsec3-iterations'");
+
   clearCaches(zname);
   string descr = ns3p.getZoneRepresentation();
   vector<string> meta;

pdns/pdns.conf-dist

@@ -264,6 +264,11 @@
 #
 # max-ent-entries=100000
 
+#################################
+# max-nsec3-iterations	Limit the number of NSEC3 hash iterations
+#
+# max-nsec3-iterations=500
+
 #################################
 # max-queue-length	Maximum queuelength before considering situation lost
 #

pdns/pdnssec.cc

@@ -137,6 +137,7 @@ void loadMainConfig(const std::string& configdir)
   ::arg().set("entropy-source", "If set, read entropy from this file")="/dev/urandom";
 
   ::arg().setSwitch("direct-dnskey","Fetch DNSKEY RRs from backend during DNSKEY synthesis")="no";
+  ::arg().set("max-nsec3-iterations","Limit the number of NSEC3 hash iterations")="500"; // RFC5155 10.3
   ::arg().laxFile(configname.c_str());
 
   BackendMakers().launch(::arg()["launch"]); // vrooooom!

pdns/rfc2136handler.cc

@@ -921,6 +921,11 @@ int PacketHandler::processUpdate(DNSPacket *p) {
     di.backend->abortTransaction();
     return RCode::ServFail;
   }
+  catch(std::exception &e) {
+    L<<Logger::Error<<msgPrefix<<"Caught std:exception: "<<e.what()<<"; Sending ServFail!"<<endl;
+    di.backend->abortTransaction();
+    return RCode::ServFail;
+  }
   catch (...) {
     L<<Logger::Error<<msgPrefix<<"Caught unknown exception when performing update. Sending ServFail!"<<endl;
     di.backend->abortTransaction();