Permalink
Browse files

limit the number of NSEC3 iterations RFC5155 10.3

  • Loading branch information...
1 parent da642b7 commit 28b66a9478002eeab98650bc314fd37799985cc1 @mind04 mind04 committed with mind04 Jul 20, 2014
Showing with 22 additions and 1 deletion.
  1. +1 −0 pdns/common_startup.cc
  2. +10 −1 pdns/dbdnsseckeeper.cc
  3. +5 −0 pdns/pdns.conf-dist
  4. +1 −0 pdns/pdnssec.cc
  5. +5 −0 pdns/rfc2136handler.cc
@@ -159,6 +159,7 @@ void declareArguments()
::arg().set("default-ksk-size","Default KSK size (0 means default)")="0";
::arg().set("default-zsk-algorithms","Default ZSK algorithms")="rsasha256";
::arg().set("default-zsk-size","Default ZSK size (0 means default)")="0";
+ ::arg().set("max-nsec3-iterations","Limit the number of NSEC3 hash iterations")="500"; // RFC5155 10.3
::arg().set("include-dir","Include *.conf files from this directory");
}
@@ -233,11 +233,16 @@ bool DNSSECKeeper::getNSEC3PARAM(const std::string& zname, NSEC3PARAMRecordConte
if(value.empty()) { // "no NSEC3"
return false;
}
-
+
+ static int maxNSEC3Iterations=::arg().asNum("max-nsec3-iterations");
if(ns3p) {
NSEC3PARAMRecordContent* tmp=dynamic_cast<NSEC3PARAMRecordContent*>(DNSRecordContent::mastermake(QType::NSEC3PARAM, 1, value));
*ns3p = *tmp;
delete tmp;
+ if (ns3p->d_iterations > maxNSEC3Iterations) {
+ ns3p->d_iterations = maxNSEC3Iterations;
+ L<<Logger::Error<<"Number of NSEC3 iterations for zone '"<<zname<<"' is above 'max-nsec3-iterations'. Value adjusted to: "<<maxNSEC3Iterations<<endl;
+ }
}
if(narrow) {
getFromMeta(zname, "NSEC3NARROW", value);
@@ -248,6 +253,10 @@ bool DNSSECKeeper::getNSEC3PARAM(const std::string& zname, NSEC3PARAMRecordConte
bool DNSSECKeeper::setNSEC3PARAM(const std::string& zname, const NSEC3PARAMRecordContent& ns3p, const bool& narrow)
{
+ static int maxNSEC3Iterations=::arg().asNum("max-nsec3-iterations");
+ if (ns3p.d_iterations > maxNSEC3Iterations)
+ throw runtime_error("Can't set NSEC3PARAM for zone '"+zname+"': number of NSEC3 iterations is above 'max-nsec3-iterations'");
+
clearCaches(zname);
string descr = ns3p.getZoneRepresentation();
vector<string> meta;
View
@@ -265,6 +265,11 @@
# max-ent-entries=100000
#################################
+# max-nsec3-iterations Limit the number of NSEC3 hash iterations
+#
+# max-nsec3-iterations=500
+
+#################################
# max-queue-length Maximum queuelength before considering situation lost
#
# max-queue-length=5000
View
@@ -137,6 +137,7 @@ void loadMainConfig(const std::string& configdir)
::arg().set("entropy-source", "If set, read entropy from this file")="/dev/urandom";
::arg().setSwitch("direct-dnskey","Fetch DNSKEY RRs from backend during DNSKEY synthesis")="no";
+ ::arg().set("max-nsec3-iterations","Limit the number of NSEC3 hash iterations")="500"; // RFC5155 10.3
::arg().laxFile(configname.c_str());
BackendMakers().launch(::arg()["launch"]); // vrooooom!
@@ -921,6 +921,11 @@ int PacketHandler::processUpdate(DNSPacket *p) {
di.backend->abortTransaction();
return RCode::ServFail;
}
+ catch(std::exception &e) {
+ L<<Logger::Error<<msgPrefix<<"Caught std:exception: "<<e.what()<<"; Sending ServFail!"<<endl;
+ di.backend->abortTransaction();
+ return RCode::ServFail;
+ }
catch (...) {
L<<Logger::Error<<msgPrefix<<"Caught unknown exception when performing update. Sending ServFail!"<<endl;
di.backend->abortTransaction();

0 comments on commit 28b66a9

Please sign in to comment.