Permalink
Browse files

pdnssec: warn for insecure wildcards in opt-out zones

  • Loading branch information...
1 parent e4f48ab commit 5ae212e6a34825f5233632e53bed5fe4cb2f0e69 @mind04 mind04 committed with mind04 Mar 27, 2015
Showing with 14 additions and 0 deletions.
  1. +14 −0 pdns/pdnssec.cc
View
@@ -405,7 +405,15 @@ int checkZone(DNSSECKeeper &dk, UeberBackend &B, const std::string& zone)
cout<<"Checked 0 records of '"<<zone<<"', 1 errors, 0 warnings."<<endl;
return 1;
}
+
+ NSEC3PARAMRecordContent ns3pr;
+ bool narrow = false;
+ bool haveNSEC3 = dk.getNSEC3PARAM(zone, &ns3pr, &narrow);
+ bool isOptOut=(haveNSEC3 && ns3pr.d_flags);
+
+ bool isSecure=dk.isSecuredZone(zone);
bool presigned=dk.isPresigned(zone);
+
sd.db->list(zone, sd.domain_id, true);
DNSResourceRecord rr;
uint64_t numrecords=0, numerrors=0, numwarnings=0;
@@ -494,6 +502,12 @@ int checkZone(DNSSECKeeper &dk, UeberBackend &B, const std::string& zone)
continue;
}
+ if (isSecure && isOptOut && (rr.qname.size() && rr.qname[0] == '*') && (rr.qname.size() < 2 || rr.qname[1] == '.' )) {
+ cout<<"[Warning] wildcard record '"<<rr.qname<<" IN " <<rr.qtype.getName()<<" "<<rr.content<<"' is insecure"<<endl;
+ cout<<"[Info] Wildcard records in opt-out zones are insecure. Disable the opt-out flag for this zone to avoid this warning. Command: pdnssec set-nsec3 "<<zone<<endl;
+ numwarnings++;
+ }
+
if(pdns_iequals(rr.qname, zone)) {
if (rr.qtype.getCode() == QType::NS) {
hasNsAtApex=true;

0 comments on commit 5ae212e

Please sign in to comment.