Gitiles
Code Review Sign In
gerrit.nordix.org / thekelleys / dnsmasq / 4fe6744a220eddd3f1749b40cac3dfc510787de6
commit4fe6744a220eddd3f1749b40cac3dfc510787de6[log] [tgz]
authorSimon Kelley <simon@thekelleys.org.uk>Fri Jan 19 12:26:08 2018 +0000
committerSimon Kelley <simon@thekelleys.org.uk>Fri Jan 19 12:39:46 2018 +0000
tree1533727e61f9d7e88de9335198d73457bf5ad749
parent3bd4c47f31f6e124057f12447994f38fcb6ac74f [diff]
DNSSEC fix for wildcard NSEC records. CVE-2017-15107 applies.

It's OK for NSEC records to be expanded from wildcards,
but in that case, the proof of non-existence is only valid
starting at the wildcard name, *.<domain> NOT the name expanded
from the wildcard. Without this check it's possible for an
attacker to craft an NSEC which wrongly proves non-existence
in a domain which includes a wildcard for NSEC.
2 files changed
tree: 1533727e61f9d7e88de9335198d73457bf5ad749
  1. bld/
  2. contrib/
  3. dbus/
  4. debian/
  5. logo/
  6. man/
  7. po/
  8. src/
  9. .gitattributes
  10. .gitignore
  11. Android.mk
  12. CHANGELOG
  13. CHANGELOG.archive
  14. COPYING
  15. COPYING-v3
  16. dnsmasq.conf.example
  17. doc.html
  18. FAQ
  19. Makefile
  20. setup.html
  21. trust-anchors.conf
  22. VERSION