Handle duplicate RRs in DNSSEC validation.
RFC 4034 says:
[RFC2181] specifies that an RRset is not allowed to contain duplicate
records (multiple RRs with the same owner name, class, type, and
RDATA). Therefore, if an implementation detects duplicate RRs when
putting the RRset in canonical form, it MUST treat this as a protocol
error. If the implementation chooses to handle this protocol error
in the spirit of the robustness principle (being liberal in what it
accepts), it MUST remove all but one of the duplicate RR(s) for the
purposes of calculating the canonical form of the RRset.
We chose to handle this robustly, having found at least one recursive
server in the wild which returns duplicate NSEC records in the AUTHORITY
section of an answer generated from a wildcard record. sort_rrset() is
therefore modified to delete duplicate RRs which are detected almost
for free during the bubble-sort process.
Thanks to Toralf Förster for helping to diagnose this problem.
diff --git a/src/dnssec.c b/src/dnssec.c
index 6abc1d7..81eaa9e 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -277,10 +277,10 @@
leaving the following bytes as deciding the order. Hence the nasty left1 and left2 variables.
*/
-static void sort_rrset(struct dns_header *header, size_t plen, u16 *rr_desc, int rrsetidx,
- unsigned char **rrset, char *buff1, char *buff2)
+static int sort_rrset(struct dns_header *header, size_t plen, u16 *rr_desc, int rrsetidx,
+ unsigned char **rrset, char *buff1, char *buff2)
{
- int swap, quit, i;
+ int swap, quit, i, j;
do
{
@@ -342,11 +342,21 @@
rrset[i] = tmp;
swap = quit = 1;
}
+ else if (rc == 0 && quit && len1 == len2)
+ {
+ /* Two RRs are equal, remove one copy. RFC 4034, para 6.3 */
+ for (j = i+1; j < rrsetidx-1; j++)
+ rrset[j] = rrset[j+1];
+ rrsetidx--;
+ i--;
+ }
else if (rc < 0)
quit = 1;
}
}
} while (swap);
+
+ return rrsetidx;
}
static unsigned char **rrset = NULL, **sigs = NULL;
@@ -491,7 +501,7 @@
/* Sort RRset records into canonical order.
Note that at this point keyname and daemon->workspacename buffs are
unused, and used as workspace by the sort. */
- sort_rrset(header, plen, rr_desc, rrsetidx, rrset, daemon->workspacename, keyname);
+ rrsetidx = sort_rrset(header, plen, rr_desc, rrsetidx, rrset, daemon->workspacename, keyname);
/* Now try all the sigs to try and find one which validates */
for (j = 0; j <sigidx; j++)
@@ -545,6 +555,7 @@
u16 len, *dp;
p = rrset[i];
+
if (!extract_name(header, plen, &p, name, 1, 10))
return STAT_BOGUS;