Possible fix for Kaminsky's bug
L. Gabriel Somlo
gsomlo at gmail.com
Wed Aug 27 05:05:44 UTC 2008
On Wed, Aug 27, 2008 at 02:40:45PM +1000, Mark Andrews wrote:
>
> This fails to account for DNSSEC verified changes.
>
You mean you'd still want to allow a DNSSEC capable authority to
weasel out of its promised TTL, even if we don't allow non-DNSSEC
servers to get away with it ? If that's the requirement, then maybe
replacing
trust <= header->trust
with
(trust >= dns_trust_secure && trust < header->trust || trust <= header->trust)
or
(trust < header->trust || trust < dns_trust_secure && trust == header->trust)
would only address non-DNSSEC servers...
Is that what you had in mind, or could you please clarify otherwise ?
Thanks,
Gabriel
> > diff -NarU5 bind-9.5.0-P1.orig/lib/dns/rbtdb.c bind-9.5.0-P1/lib/dns/rbtdb.c
> > --- bind-9.5.0-P1.orig/lib/dns/rbtdb.c 2008-05-01 14:32:31.000000000 -
> > 0400
> > +++ bind-9.5.0-P1/lib/dns/rbtdb.c 2008-08-26 23:25:45.000000000 -0400
> > @@ -4939,11 +4939,11 @@
> >
> > /*
> > * Trying to add an rdataset with lower trust to a cache DB
> > * has no effect, provided that the cache data isn't stale.
> > */
> > - if (rbtversion == NULL && trust < header->trust &&
> > + if (rbtversion == NULL && trust <= header->trust &&
> > (header->rdh_ttl > now || header_nx)) {
> > free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
> > if (addedrdataset != NULL)
> > bind_rdataset(rbtdb, rbtnode, header, now,
> > addedrdataset);
> >
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list