To: bind9-bugs@isc.org Message-ID: Delivered-To: bind9-confidential@bugs.isc.org X-Cam-Scannerinfo: http://help.uis.cam.ac.uk/email-scanner-virus From: "Tony Finch" User-Agent: Alpine 2.11 (DEB 23 2013-08-11) Subject: [PATCH] minimal-any for DNSKEY/CDNSKEY, and minimal-responses for CDNSKEY/CDS X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL autolearn=ham autolearn_force=no version=3.4.0 Date: Fri, 4 Aug 2017 14:43:46 +0100 Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx.pao1.isc.org", Issuer "COMODO RSA Organization Validation Secure Server CA" (not verified)) by bugs.isc.org (Postfix) with ESMTPS id 5D910D78AA2 for ; Fri, 4 Aug 2017 13:43:50 +0000 (UTC) Received: from ppsw-30.csi.cam.ac.uk (ppsw-30.csi.cam.ac.uk [131.111.8.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id CF76F34AFB7 for ; Fri, 4 Aug 2017 13:43:47 +0000 (UTC) Received: from grey.csi.cam.ac.uk ([131.111.57.57]:45012) by ppsw-30.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.136]:25) with esmtps (TLSv1:ECDHE-RSA-AES256-SHA:256) id 1ddctG-000Tmn-eK (Exim 4.89) (return-path ); Fri, 04 Aug 2017 14:43:46 +0100 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mx.pao1.isc.org CC: "Tony Finch" From dot@dotat.at Fri Aug 4 13:43:50 2017 content-type: TEXT/PLAIN; charset="utf-8" X-RT-Incoming-Encryption: Not encrypted X-Original-To: bind9-confidential@bugs.isc.org MIME-Version: 1.0 X-Cam-Antivirus: no malware found X-RT-Original-Encoding: ascii X-RT-Interface: Email Content-Length: 1928 It's possible for minimal-any to accidentally return large responses, if it happens to choose the DNSKEY or CDNSKEY RRset. In those cases the RRset should be at the zone apex, so we can skip it and there will be another RRset to put in the response. Similarly, minimal-responses are turned on for DNSKEY and DS queries, so do the same for CDNSKEY and CDS. --- bin/named/query.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/bin/named/query.c b/bin/named/query.c index 9d7eff6..a31bedb 100644 --- a/bin/named/query.c +++ b/bin/named/query.c @@ -6139,6 +6139,16 @@ query_respond_any(query_ctx_t *qctx) { "minimal-any skip signature"); dns_rdataset_disassociate(qctx->rdataset); } else if (qctx->client->view->minimal_any && + !TCP(qctx->client) && + qctx->qtype == dns_rdatatype_any && + (qctx->rdataset->type == dns_rdatatype_dnskey || + qctx->rdataset->type == dns_rdatatype_cdnskey || + qctx->rdataset->covers == dns_rdatatype_dnskey || + qctx->rdataset->covers == dns_rdatatype_cdnskey)) { + CCTRACE(ISC_LOG_DEBUG(5), "query_respond_any: " + "minimal-any skip (C)DNSKEY"); + dns_rdataset_disassociate(qctx->rdataset); + } else if (qctx->client->view->minimal_any && !TCP(qctx->client) && onetype != 0 && qctx->rdataset->type != onetype && qctx->rdataset->covers != onetype) @@ -9513,9 +9523,10 @@ ns_query_start(ns_client_t *client) { } /* - * Turn on minimal response for DNSKEY and DS queries. + * Turn on minimal response for (C)DNSKEY and (C)DS queries. */ - if (qtype == dns_rdatatype_dnskey || qtype == dns_rdatatype_ds) + if (qtype == dns_rdatatype_dnskey || qtype == dns_rdatatype_ds || + qtype == dns_rdatatype_cdnskey || qtype == dns_rdatatype_cds) client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY | NS_QUERYATTR_NOADDITIONAL); -- 2.10.1.445.g3cdd5d1