1 /*
2 * iterator/iter_scrub.c - scrubbing, normalization, sanitization of DNS msgs.
3 *
4 * Copyright (c) 2007, NLnet Labs. All rights reserved.
5 *
6 * This software is open source.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
14 *
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
18 *
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 */
35
36 /**
37 * \file
38 *
39 * This file has routine(s) for cleaning up incoming DNS messages from
40 * possible useless or malicious junk in it.
41 */
42 #include "config.h"
43 #include "iterator/iter_scrub.h"
44 #include "iterator/iterator.h"
45 #include "iterator/iter_priv.h"
46 #include "services/cache/rrset.h"
47 #include "util/log.h"
48 #include "util/net_help.h"
49 #include "util/regional.h"
50 #include "util/config_file.h"
51 #include "util/module.h"
52 #include "util/data/msgparse.h"
53 #include "util/data/dname.h"
54 #include "util/data/msgreply.h"
55 #include "util/alloc.h"
56 #include "sldns/sbuffer.h"
57
58 /** RRset flag used during scrubbing. The RRset is OK. */
59 #define RRSET_SCRUB_OK 0x80
60
61 /** remove rrset, update loop variables */
62 static void
remove_rrset(const char * str,sldns_buffer * pkt,struct msg_parse * msg,struct rrset_parse * prev,struct rrset_parse ** rrset)63 remove_rrset(const char* str, sldns_buffer* pkt, struct msg_parse* msg,
64 struct rrset_parse* prev, struct rrset_parse** rrset)
65 {
66 if(verbosity >= VERB_QUERY && str
67 && (*rrset)->dname_len <= LDNS_MAX_DOMAINLEN) {
68 uint8_t buf[LDNS_MAX_DOMAINLEN+1];
69 dname_pkt_copy(pkt, buf, (*rrset)->dname);
70 log_nametypeclass(VERB_QUERY, str, buf,
71 (*rrset)->type, ntohs((*rrset)->rrset_class));
72 }
73 if(prev)
74 prev->rrset_all_next = (*rrset)->rrset_all_next;
75 else msg->rrset_first = (*rrset)->rrset_all_next;
76 if(msg->rrset_last == *rrset)
77 msg->rrset_last = prev;
78 msg->rrset_count --;
79 switch((*rrset)->section) {
80 case LDNS_SECTION_ANSWER: msg->an_rrsets--; break;
81 case LDNS_SECTION_AUTHORITY: msg->ns_rrsets--; break;
82 case LDNS_SECTION_ADDITIONAL: msg->ar_rrsets--; break;
83 default: log_assert(0);
84 }
85 msgparse_bucket_remove(msg, *rrset);
86 *rrset = (*rrset)->rrset_all_next;
87 }
88
89 /** return true if rr type has additional names in it */
90 static int
has_additional(uint16_t t)91 has_additional(uint16_t t)
92 {
93 switch(t) {
94 case LDNS_RR_TYPE_MB:
95 case LDNS_RR_TYPE_MD:
96 case LDNS_RR_TYPE_MF:
97 case LDNS_RR_TYPE_NS:
98 case LDNS_RR_TYPE_MX:
99 case LDNS_RR_TYPE_KX:
100 case LDNS_RR_TYPE_SRV:
101 return 1;
102 case LDNS_RR_TYPE_NAPTR:
103 /* TODO: NAPTR not supported, glue stripped off */
104 return 0;
105 }
106 return 0;
107 }
108
109 /** get additional name from rrset RR, return false if no name present */
110 static int
get_additional_name(struct rrset_parse * rrset,struct rr_parse * rr,uint8_t ** nm,size_t * nmlen,sldns_buffer * pkt)111 get_additional_name(struct rrset_parse* rrset, struct rr_parse* rr,
112 uint8_t** nm, size_t* nmlen, sldns_buffer* pkt)
113 {
114 size_t offset = 0;
115 size_t len, oldpos;
116 switch(rrset->type) {
117 case LDNS_RR_TYPE_MB:
118 case LDNS_RR_TYPE_MD:
119 case LDNS_RR_TYPE_MF:
120 case LDNS_RR_TYPE_NS:
121 offset = 0;
122 break;
123 case LDNS_RR_TYPE_MX:
124 case LDNS_RR_TYPE_KX:
125 offset = 2;
126 break;
127 case LDNS_RR_TYPE_SRV:
128 offset = 6;
129 break;
130 case LDNS_RR_TYPE_NAPTR:
131 /* TODO: NAPTR not supported, glue stripped off */
132 return 0;
133 default:
134 return 0;
135 }
136 len = sldns_read_uint16(rr->ttl_data+sizeof(uint32_t));
137 if(len < offset+1)
138 return 0; /* rdata field too small */
139 *nm = rr->ttl_data+sizeof(uint32_t)+sizeof(uint16_t)+offset;
140 oldpos = sldns_buffer_position(pkt);
141 sldns_buffer_set_position(pkt, (size_t)(*nm - sldns_buffer_begin(pkt)));
142 *nmlen = pkt_dname_len(pkt);
143 sldns_buffer_set_position(pkt, oldpos);
144 if(*nmlen == 0)
145 return 0;
146 return 1;
147 }
148
149 /** Place mark on rrsets in additional section they are OK */
150 static void
mark_additional_rrset(sldns_buffer * pkt,struct msg_parse * msg,struct rrset_parse * rrset)151 mark_additional_rrset(sldns_buffer* pkt, struct msg_parse* msg,
152 struct rrset_parse* rrset)
153 {
154 /* Mark A and AAAA for NS as appropriate additional section info. */
155 uint8_t* nm = NULL;
156 size_t nmlen = 0;
157 struct rr_parse* rr;
158
159 if(!has_additional(rrset->type))
160 return;
161 for(rr = rrset->rr_first; rr; rr = rr->next) {
162 if(get_additional_name(rrset, rr, &nm, &nmlen, pkt)) {
163 /* mark A */
164 hashvalue_type h = pkt_hash_rrset(pkt, nm,
165 LDNS_RR_TYPE_A, rrset->rrset_class, 0);
166 struct rrset_parse* r = msgparse_hashtable_lookup(
167 msg, pkt, h, 0, nm, nmlen,
168 LDNS_RR_TYPE_A, rrset->rrset_class);
169 if(r && r->section == LDNS_SECTION_ADDITIONAL) {
170 r->flags |= RRSET_SCRUB_OK;
171 }
172
173 /* mark AAAA */
174 h = pkt_hash_rrset(pkt, nm, LDNS_RR_TYPE_AAAA,
175 rrset->rrset_class, 0);
176 r = msgparse_hashtable_lookup(msg, pkt, h, 0, nm,
177 nmlen, LDNS_RR_TYPE_AAAA, rrset->rrset_class);
178 if(r && r->section == LDNS_SECTION_ADDITIONAL) {
179 r->flags |= RRSET_SCRUB_OK;
180 }
181 }
182 }
183 }
184
185 /** Get target name of a CNAME */
186 static int
parse_get_cname_target(struct rrset_parse * rrset,uint8_t ** sname,size_t * snamelen,sldns_buffer * pkt)187 parse_get_cname_target(struct rrset_parse* rrset, uint8_t** sname,
188 size_t* snamelen, sldns_buffer* pkt)
189 {
190 size_t oldpos, dlen;
191 if(rrset->rr_count != 1) {
192 struct rr_parse* sig;
193 verbose(VERB_ALGO, "Found CNAME rrset with "
194 "size > 1: %u", (unsigned)rrset->rr_count);
195 /* use the first CNAME! */
196 rrset->rr_count = 1;
197 rrset->size = rrset->rr_first->size;
198 for(sig=rrset->rrsig_first; sig; sig=sig->next)
199 rrset->size += sig->size;
200 rrset->rr_last = rrset->rr_first;
201 rrset->rr_first->next = NULL;
202 }
203 if(rrset->rr_first->size < sizeof(uint16_t)+1)
204 return 0; /* CNAME rdata too small */
205 *sname = rrset->rr_first->ttl_data + sizeof(uint32_t)
206 + sizeof(uint16_t); /* skip ttl, rdatalen */
207 *snamelen = rrset->rr_first->size - sizeof(uint16_t);
208
209 if(rrset->rr_first->outside_packet) {
210 if(!dname_valid(*sname, *snamelen))
211 return 0;
212 return 1;
213 }
214 oldpos = sldns_buffer_position(pkt);
215 sldns_buffer_set_position(pkt, (size_t)(*sname - sldns_buffer_begin(pkt)));
216 dlen = pkt_dname_len(pkt);
217 sldns_buffer_set_position(pkt, oldpos);
218 if(dlen == 0)
219 return 0; /* parse fail on the rdata name */
220 *snamelen = dlen;
221 return 1;
222 }
223
224 /** Synthesize CNAME from DNAME, false if too long */
225 static int
synth_cname(uint8_t * qname,size_t qnamelen,struct rrset_parse * dname_rrset,uint8_t * alias,size_t * aliaslen,sldns_buffer * pkt)226 synth_cname(uint8_t* qname, size_t qnamelen, struct rrset_parse* dname_rrset,
227 uint8_t* alias, size_t* aliaslen, sldns_buffer* pkt)
228 {
229 /* we already know that sname is a strict subdomain of DNAME owner */
230 uint8_t* dtarg = NULL;
231 size_t dtarglen;
232 if(!parse_get_cname_target(dname_rrset, &dtarg, &dtarglen, pkt))
233 return 0;
234 if(qnamelen <= dname_rrset->dname_len)
235 return 0;
236 if(qnamelen == 0)
237 return 0;
238 log_assert(qnamelen > dname_rrset->dname_len);
239 /* DNAME from com. to net. with qname example.com. -> example.net. */
240 /* so: \3com\0 to \3net\0 and qname \7example\3com\0 */
241 *aliaslen = qnamelen + dtarglen - dname_rrset->dname_len;
242 if(*aliaslen > LDNS_MAX_DOMAINLEN)
243 return 0; /* should have been RCODE YXDOMAIN */
244 /* decompress dnames into buffer, we know it fits */
245 dname_pkt_copy(pkt, alias, qname);
246 dname_pkt_copy(pkt, alias+(qnamelen-dname_rrset->dname_len), dtarg);
247 return 1;
248 }
249
250 /** synthesize a CNAME rrset */
251 static struct rrset_parse*
synth_cname_rrset(uint8_t ** sname,size_t * snamelen,uint8_t * alias,size_t aliaslen,struct regional * region,struct msg_parse * msg,struct rrset_parse * rrset,struct rrset_parse * prev,struct rrset_parse * nx,sldns_buffer * pkt)252 synth_cname_rrset(uint8_t** sname, size_t* snamelen, uint8_t* alias,
253 size_t aliaslen, struct regional* region, struct msg_parse* msg,
254 struct rrset_parse* rrset, struct rrset_parse* prev,
255 struct rrset_parse* nx, sldns_buffer* pkt)
256 {
257 struct rrset_parse* cn = (struct rrset_parse*)regional_alloc(region,
258 sizeof(struct rrset_parse));
259 if(!cn)
260 return NULL;
261 memset(cn, 0, sizeof(*cn));
262 cn->rr_first = (struct rr_parse*)regional_alloc(region,
263 sizeof(struct rr_parse));
264 if(!cn->rr_first)
265 return NULL;
266 cn->rr_last = cn->rr_first;
267 /* CNAME from sname to alias */
268 cn->dname = (uint8_t*)regional_alloc(region, *snamelen);
269 if(!cn->dname)
270 return NULL;
271 dname_pkt_copy(pkt, cn->dname, *sname);
272 cn->dname_len = *snamelen;
273 cn->type = LDNS_RR_TYPE_CNAME;
274 cn->section = rrset->section;
275 cn->rrset_class = rrset->rrset_class;
276 cn->rr_count = 1;
277 cn->size = sizeof(uint16_t) + aliaslen;
278 cn->hash=pkt_hash_rrset(pkt, cn->dname, cn->type, cn->rrset_class, 0);
279 /* allocate TTL + rdatalen + uncompressed dname */
280 memset(cn->rr_first, 0, sizeof(struct rr_parse));
281 cn->rr_first->outside_packet = 1;
282 cn->rr_first->ttl_data = (uint8_t*)regional_alloc(region,
283 sizeof(uint32_t)+sizeof(uint16_t)+aliaslen);
284 if(!cn->rr_first->ttl_data)
285 return NULL;
286 memmove(cn->rr_first->ttl_data, rrset->rr_first->ttl_data,
287 sizeof(uint32_t)); /* RFC6672: synth CNAME TTL == DNAME TTL */
288 sldns_write_uint16(cn->rr_first->ttl_data+4, aliaslen);
289 memmove(cn->rr_first->ttl_data+6, alias, aliaslen);
290 cn->rr_first->size = sizeof(uint16_t)+aliaslen;
291
292 /* link it in */
293 cn->rrset_all_next = nx;
294 if(prev)
295 prev->rrset_all_next = cn;
296 else msg->rrset_first = cn;
297 if(nx == NULL)
298 msg->rrset_last = cn;
299 msg->rrset_count ++;
300 msg->an_rrsets++;
301 /* it is not inserted in the msg hashtable. */
302
303 *sname = cn->rr_first->ttl_data + sizeof(uint32_t)+sizeof(uint16_t);
304 *snamelen = aliaslen;
305 return cn;
306 }
307
308 /** check if DNAME applies to a name */
309 static int
pkt_strict_sub(sldns_buffer * pkt,uint8_t * sname,uint8_t * dr)310 pkt_strict_sub(sldns_buffer* pkt, uint8_t* sname, uint8_t* dr)
311 {
312 uint8_t buf1[LDNS_MAX_DOMAINLEN+1];
313 uint8_t buf2[LDNS_MAX_DOMAINLEN+1];
314 /* decompress names */
315 dname_pkt_copy(pkt, buf1, sname);
316 dname_pkt_copy(pkt, buf2, dr);
317 return dname_strict_subdomain_c(buf1, buf2);
318 }
319
320 /** check subdomain with decompression */
321 static int
pkt_sub(sldns_buffer * pkt,uint8_t * comprname,uint8_t * zone)322 pkt_sub(sldns_buffer* pkt, uint8_t* comprname, uint8_t* zone)
323 {
324 uint8_t buf[LDNS_MAX_DOMAINLEN+1];
325 dname_pkt_copy(pkt, buf, comprname);
326 return dname_subdomain_c(buf, zone);
327 }
328
329 /** check subdomain with decompression, compressed is parent */
330 static int
sub_of_pkt(sldns_buffer * pkt,uint8_t * zone,uint8_t * comprname)331 sub_of_pkt(sldns_buffer* pkt, uint8_t* zone, uint8_t* comprname)
332 {
333 uint8_t buf[LDNS_MAX_DOMAINLEN+1];
334 dname_pkt_copy(pkt, buf, comprname);
335 return dname_subdomain_c(zone, buf);
336 }
337
338 /** Check if there are SOA records in the authority section (negative) */
339 static int
soa_in_auth(struct msg_parse * msg)340 soa_in_auth(struct msg_parse* msg)
341 {
342 struct rrset_parse* rrset;
343 for(rrset = msg->rrset_first; rrset; rrset = rrset->rrset_all_next)
344 if(rrset->type == LDNS_RR_TYPE_SOA &&
345 rrset->section == LDNS_SECTION_AUTHORITY)
346 return 1;
347 return 0;
348 }
349
350 /** Check if type is allowed in the authority section */
351 static int
type_allowed_in_authority_section(uint16_t tp)352 type_allowed_in_authority_section(uint16_t tp)
353 {
354 if(tp == LDNS_RR_TYPE_SOA || tp == LDNS_RR_TYPE_NS ||
355 tp == LDNS_RR_TYPE_DS || tp == LDNS_RR_TYPE_NSEC ||
356 tp == LDNS_RR_TYPE_NSEC3)
357 return 1;
358 return 0;
359 }
360
361 /** Check if type is allowed in the additional section */
362 static int
type_allowed_in_additional_section(uint16_t tp)363 type_allowed_in_additional_section(uint16_t tp)
364 {
365 if(tp == LDNS_RR_TYPE_A || tp == LDNS_RR_TYPE_AAAA)
366 return 1;
367 return 0;
368 }
369
370 /** Shorten RRset */
371 static void
shorten_rrset(sldns_buffer * pkt,struct rrset_parse * rrset,int count)372 shorten_rrset(sldns_buffer* pkt, struct rrset_parse* rrset, int count)
373 {
374 /* The too large NS RRset is shortened. This is so that too large
375 * content does not overwhelm the cache. It may make the rrset
376 * bogus if it was signed, and then the domain is not resolved any
377 * more, that is okay, the NS RRset was too large. During a referral
378 * it can be shortened and then the first part of the list could
379 * be used to resolve. The scrub continues to disallow glue for the
380 * removed nameserver RRs and removes that too. Because the glue
381 * is not marked as okay, since the RRs have been removed here. */
382 int i;
383 struct rr_parse* rr = rrset->rr_first, *prev = NULL;
384 if(!rr)
385 return;
386 for(i=0; i<count; i++) {
387 prev = rr;
388 rr = rr->next;
389 if(!rr)
390 return; /* The RRset is already short. */
391 }
392 if(verbosity >= VERB_QUERY
393 && rrset->dname_len <= LDNS_MAX_DOMAINLEN) {
394 uint8_t buf[LDNS_MAX_DOMAINLEN+1];
395 dname_pkt_copy(pkt, buf, rrset->dname);
396 log_nametypeclass(VERB_QUERY, "normalize: shorten RRset:", buf,
397 rrset->type, ntohs(rrset->rrset_class));
398 }
399 /* remove further rrs */
400 rrset->rr_last = prev;
401 rrset->rr_count = count;
402 while(rr) {
403 rrset->size -= rr->size;
404 rr = rr->next;
405 }
406 if(rrset->rr_last)
407 rrset->rr_last->next = NULL;
408 else rrset->rr_first = NULL;
409 }
410
411 /**
412 * This routine normalizes a response. This includes removing "irrelevant"
413 * records from the answer and additional sections and (re)synthesizing
414 * CNAMEs from DNAMEs, if present.
415 *
416 * @param pkt: packet.
417 * @param msg: msg to normalize.
418 * @param qinfo: original query.
419 * @param region: where to allocate synthesized CNAMEs.
420 * @param env: module env with config options.
421 * @param zonename: name of server zone.
422 * @return 0 on error.
423 */
424 static int
scrub_normalize(sldns_buffer * pkt,struct msg_parse * msg,struct query_info * qinfo,struct regional * region,struct module_env * env,uint8_t * zonename)425 scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
426 struct query_info* qinfo, struct regional* region,
427 struct module_env* env, uint8_t* zonename)
428 {
429 uint8_t* sname = qinfo->qname;
430 size_t snamelen = qinfo->qname_len;
431 struct rrset_parse* rrset, *prev, *nsset=NULL;
432 int cname_length = 0; /* number of CNAMEs, or DNAMEs */
433
434 if(FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_NOERROR &&
435 FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_NXDOMAIN &&
436 FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_YXDOMAIN)
437 return 1;
438
439 /* For the ANSWER section, remove all "irrelevant" records and add
440 * synthesized CNAMEs from DNAMEs
441 * This will strip out-of-order CNAMEs as well. */
442
443 /* walk through the parse packet rrset list, keep track of previous
444 * for insert and delete ease, and examine every RRset */
445 prev = NULL;
446 rrset = msg->rrset_first;
447 while(rrset && rrset->section == LDNS_SECTION_ANSWER) {
448 if(cname_length > env->cfg->iter_scrub_cname) {
449 /* Too many CNAMEs, or DNAMEs, from the authority
450 * server, scrub down the length to something
451 * shorter. This deletes everything after the limit
452 * is reached. The iterator is going to look up
453 * the content one by one anyway. */
454 remove_rrset("normalize: removing because too many cnames:",
455 pkt, msg, prev, &rrset);
456 continue;
457 }
458 if(rrset->type == LDNS_RR_TYPE_DNAME &&
459 pkt_strict_sub(pkt, sname, rrset->dname)) {
460 /* check if next rrset is correct CNAME. else,
461 * synthesize a CNAME */
462 struct rrset_parse* nx = rrset->rrset_all_next;
463 uint8_t alias[LDNS_MAX_DOMAINLEN+1];
464 size_t aliaslen = 0;
465 if(rrset->rr_count != 1) {
466 verbose(VERB_ALGO, "Found DNAME rrset with "
467 "size > 1: %u",
468 (unsigned)rrset->rr_count);
469 return 0;
470 }
471 if(!synth_cname(sname, snamelen, rrset, alias,
472 &aliaslen, pkt)) {
473 verbose(VERB_ALGO, "synthesized CNAME "
474 "too long");
475 if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_YXDOMAIN) {
476 prev = rrset;
477 rrset = rrset->rrset_all_next;
478 continue;
479 }
480 return 0;
481 }
482 cname_length++;
483 if(nx && nx->type == LDNS_RR_TYPE_CNAME &&
484 dname_pkt_compare(pkt, sname, nx->dname) == 0) {
485 /* check next cname */
486 uint8_t* t = NULL;
487 size_t tlen = 0;
488 if(!parse_get_cname_target(nx, &t, &tlen, pkt))
489 return 0;
490 if(dname_pkt_compare(pkt, alias, t) == 0) {
491 /* it's OK and better capitalized */
492 prev = rrset;
493 rrset = nx;
494 continue;
495 }
496 /* synth ourselves */
497 }
498 /* synth a CNAME rrset */
499 prev = synth_cname_rrset(&sname, &snamelen, alias,
500 aliaslen, region, msg, rrset, rrset, nx, pkt);
501 if(!prev) {
502 log_err("out of memory synthesizing CNAME");
503 return 0;
504 }
505 /* FIXME: resolve the conflict between synthesized
506 * CNAME ttls and the cache. */
507 rrset = nx;
508 continue;
509
510 }
511
512 /* The only records in the ANSWER section not allowed to */
513 if(dname_pkt_compare(pkt, sname, rrset->dname) != 0) {
514 remove_rrset("normalize: removing irrelevant RRset:",
515 pkt, msg, prev, &rrset);
516 continue;
517 }
518
519 /* Follow the CNAME chain. */
520 if(rrset->type == LDNS_RR_TYPE_CNAME) {
521 struct rrset_parse* nx = rrset->rrset_all_next;
522 uint8_t* oldsname = sname;
523 cname_length++;
524 /* see if the next one is a DNAME, if so, swap them */
525 if(nx && nx->section == LDNS_SECTION_ANSWER &&
526 nx->type == LDNS_RR_TYPE_DNAME &&
527 nx->rr_count == 1 &&
528 pkt_strict_sub(pkt, sname, nx->dname)) {
529 /* there is a DNAME after this CNAME, it
530 * is in the ANSWER section, and the DNAME
531 * applies to the name we cover */
532 /* check if the alias of the DNAME equals
533 * this CNAME */
534 uint8_t alias[LDNS_MAX_DOMAINLEN+1];
535 size_t aliaslen = 0;
536 uint8_t* t = NULL;
537 size_t tlen = 0;
538 if(synth_cname(sname, snamelen, nx, alias,
539 &aliaslen, pkt) &&
540 parse_get_cname_target(rrset, &t, &tlen, pkt) &&
541 dname_pkt_compare(pkt, alias, t) == 0) {
542 /* the synthesized CNAME equals the
543 * current CNAME. This CNAME is the
544 * one that the DNAME creates, and this
545 * CNAME is better capitalised */
546 verbose(VERB_ALGO, "normalize: re-order of DNAME and its CNAME");
547 if(prev) prev->rrset_all_next = nx;
548 else msg->rrset_first = nx;
549 if(nx->rrset_all_next == NULL)
550 msg->rrset_last = rrset;
551 rrset->rrset_all_next =
552 nx->rrset_all_next;
553 nx->rrset_all_next = rrset;
554 /* prev = nx; unused, enable if there
555 * is other rrset removal code after
556 * this */
557 }
558 }
559
560 /* move to next name in CNAME chain */
561 if(!parse_get_cname_target(rrset, &sname, &snamelen, pkt))
562 return 0;
563 prev = rrset;
564 rrset = rrset->rrset_all_next;
565 /* in CNAME ANY response, can have data after CNAME */
566 if(qinfo->qtype == LDNS_RR_TYPE_ANY) {
567 while(rrset && rrset->section ==
568 LDNS_SECTION_ANSWER &&
569 dname_pkt_compare(pkt, oldsname,
570 rrset->dname) == 0) {
571 if(rrset->type == LDNS_RR_TYPE_NS &&
572 rrset->rr_count > env->cfg->iter_scrub_ns) {
573 shorten_rrset(pkt, rrset, env->cfg->iter_scrub_ns);
574 }
575 prev = rrset;
576 rrset = rrset->rrset_all_next;
577 }
578 }
579 continue;
580 }
581
582 /* Otherwise, make sure that the RRset matches the qtype. */
583 if(qinfo->qtype != LDNS_RR_TYPE_ANY &&
584 qinfo->qtype != rrset->type) {
585 remove_rrset("normalize: removing irrelevant RRset:",
586 pkt, msg, prev, &rrset);
587 continue;
588 }
589
590 if(rrset->type == LDNS_RR_TYPE_NS &&
591 rrset->rr_count > env->cfg->iter_scrub_ns) {
592 shorten_rrset(pkt, rrset, env->cfg->iter_scrub_ns);
593 }
594
595 /* Mark the additional names from relevant rrset as OK. */
596 /* only for RRsets that match the query name, other ones
597 * will be removed by sanitize, so no additional for them */
598 if(dname_pkt_compare(pkt, qinfo->qname, rrset->dname) == 0)
599 mark_additional_rrset(pkt, msg, rrset);
600
601 prev = rrset;
602 rrset = rrset->rrset_all_next;
603 }
604
605 /* Mark additional names from AUTHORITY */
606 while(rrset && rrset->section == LDNS_SECTION_AUTHORITY) {
607 /* protect internals of recursor by making sure to del these */
608 if(rrset->type==LDNS_RR_TYPE_DNAME ||
609 rrset->type==LDNS_RR_TYPE_CNAME ||
610 rrset->type==LDNS_RR_TYPE_A ||
611 rrset->type==LDNS_RR_TYPE_AAAA) {
612 remove_rrset("normalize: removing irrelevant "
613 "RRset:", pkt, msg, prev, &rrset);
614 continue;
615 }
616 /* Allowed list of types in the authority section */
617 if(env->cfg->harden_unknown_additional &&
618 !type_allowed_in_authority_section(rrset->type)) {
619 remove_rrset("normalize: removing irrelevant "
620 "RRset:", pkt, msg, prev, &rrset);
621 continue;
622 }
623 /* only one NS set allowed in authority section */
624 if(rrset->type==LDNS_RR_TYPE_NS) {
625 /* NS set must be pertinent to the query */
626 if(!sub_of_pkt(pkt, qinfo->qname, rrset->dname)) {
627 remove_rrset("normalize: removing irrelevant "
628 "RRset:", pkt, msg, prev, &rrset);
629 continue;
630 }
631 /* we don't want NS sets for NXDOMAIN answers,
632 * because they could contain poisonous contents,
633 * from. eg. fragmentation attacks, inserted after
634 * long RRSIGs in the packet get to the packet
635 * border and such */
636 /* also for NODATA answers */
637 if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NXDOMAIN ||
638 (FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR
639 && soa_in_auth(msg) && msg->an_rrsets == 0)) {
640 remove_rrset("normalize: removing irrelevant "
641 "RRset:", pkt, msg, prev, &rrset);
642 continue;
643 }
644 /* If the NS set is a promiscuous NS set, scrub that
645 * to remove potential for poisonous contents that
646 * affects other names in the same zone. Remove
647 * promiscuous NS sets in positive answers, that
648 * thus have records in the answer section. Nodata
649 * and nxdomain promiscuous NS sets have been removed
650 * already. Since the NS rrset is scrubbed, its
651 * address records are also not marked to be allowed
652 * and are removed later. */
653 if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR &&
654 msg->an_rrsets != 0 &&
655 env->cfg->iter_scrub_promiscuous) {
656 remove_rrset("normalize: removing promiscuous "
657 "RRset:", pkt, msg, prev, &rrset);
658 continue;
659 }
660 /* Also delete promiscuous NS for other RCODEs */
661 if(FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_NOERROR
662 && env->cfg->iter_scrub_promiscuous) {
663 remove_rrset("normalize: removing promiscuous "
664 "RRset:", pkt, msg, prev, &rrset);
665 continue;
666 }
667 /* Also delete promiscuous NS for NOERROR with nodata
668 * for authoritative answers, not for delegations.
669 * NOERROR with an_rrsets!=0 already handled.
670 * Also NOERROR and soa_in_auth already handled.
671 * NOERROR with an_rrsets==0, and not a referral.
672 * referral is (NS not the zonename, noSOA).
673 */
674 if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR
675 && msg->an_rrsets == 0
676 && !(dname_pkt_compare(pkt, rrset->dname,
677 zonename) != 0 && !soa_in_auth(msg))
678 && env->cfg->iter_scrub_promiscuous) {
679 remove_rrset("normalize: removing promiscuous "
680 "RRset:", pkt, msg, prev, &rrset);
681 continue;
682 }
683 if(nsset == NULL) {
684 nsset = rrset;
685 } else {
686 remove_rrset("normalize: removing irrelevant "
687 "RRset:", pkt, msg, prev, &rrset);
688 continue;
689 }
690 if(rrset->rr_count > env->cfg->iter_scrub_ns) {
691 /* If this is not a referral, and the NS RRset
692 * is signed, then remove it entirely, so
693 * that when it becomes bogus it does not
694 * make the message that is otherwise fine
695 * into a bogus message. */
696 if(!(msg->an_rrsets == 0 &&
697 FLAGS_GET_RCODE(msg->flags) ==
698 LDNS_RCODE_NOERROR &&
699 !soa_in_auth(msg) &&
700 !(msg->flags & BIT_AA)) &&
701 rrset->rrsig_count != 0) {
702 remove_rrset("normalize: removing too large NS "
703 "RRset:", pkt, msg, prev, &rrset);
704 continue;
705 } else {
706 shorten_rrset(pkt, rrset, env->cfg->iter_scrub_ns);
707 }
708 }
709 }
710 /* if this is type DS and we query for type DS we just got
711 * a referral answer for our type DS query, fix packet */
712 if(rrset->type==LDNS_RR_TYPE_DS &&
713 qinfo->qtype == LDNS_RR_TYPE_DS &&
714 dname_pkt_compare(pkt, qinfo->qname, rrset->dname) == 0) {
715 rrset->section = LDNS_SECTION_ANSWER;
716 msg->ancount = rrset->rr_count + rrset->rrsig_count;
717 msg->nscount = 0;
718 msg->arcount = 0;
719 msg->an_rrsets = 1;
720 msg->ns_rrsets = 0;
721 msg->ar_rrsets = 0;
722 msg->rrset_count = 1;
723 msg->rrset_first = rrset;
724 msg->rrset_last = rrset;
725 rrset->rrset_all_next = NULL;
726 return 1;
727 }
728 mark_additional_rrset(pkt, msg, rrset);
729 prev = rrset;
730 rrset = rrset->rrset_all_next;
731 }
732
733 /* For each record in the additional section, remove it if it is an
734 * address record and not in the collection of additional names
735 * found in ANSWER and AUTHORITY. */
736 /* These records have not been marked OK previously */
737 while(rrset && rrset->section == LDNS_SECTION_ADDITIONAL) {
738 if(rrset->type==LDNS_RR_TYPE_A ||
739 rrset->type==LDNS_RR_TYPE_AAAA)
740 {
741 if((rrset->flags & RRSET_SCRUB_OK)) {
742 /* remove flag to clean up flags variable */
743 rrset->flags &= ~RRSET_SCRUB_OK;
744 } else {
745 remove_rrset("normalize: removing irrelevant "
746 "RRset:", pkt, msg, prev, &rrset);
747 continue;
748 }
749 }
750 /* protect internals of recursor by making sure to del these */
751 if(rrset->type==LDNS_RR_TYPE_DNAME ||
752 rrset->type==LDNS_RR_TYPE_CNAME ||
753 rrset->type==LDNS_RR_TYPE_NS) {
754 remove_rrset("normalize: removing irrelevant "
755 "RRset:", pkt, msg, prev, &rrset);
756 continue;
757 }
758 /* Allowed list of types in the additional section */
759 if(env->cfg->harden_unknown_additional &&
760 !type_allowed_in_additional_section(rrset->type)) {
761 remove_rrset("normalize: removing irrelevant "
762 "RRset:", pkt, msg, prev, &rrset);
763 continue;
764 }
765 prev = rrset;
766 rrset = rrset->rrset_all_next;
767 }
768
769 return 1;
770 }
771
772 /**
773 * Store potential poison in the cache (only if hardening disabled).
774 * The rrset is stored in the cache but removed from the message.
775 * So that it will be used for infrastructure purposes, but not be
776 * returned to the client.
777 * @param pkt: packet
778 * @param msg: message parsed
779 * @param env: environment with cache
780 * @param rrset: to store.
781 */
782 static void
store_rrset(sldns_buffer * pkt,struct msg_parse * msg,struct module_env * env,struct rrset_parse * rrset)783 store_rrset(sldns_buffer* pkt, struct msg_parse* msg, struct module_env* env,
784 struct rrset_parse* rrset)
785 {
786 struct ub_packed_rrset_key* k;
787 struct packed_rrset_data* d;
788 struct rrset_ref ref;
789 time_t now = *env->now;
790
791 k = alloc_special_obtain(env->alloc);
792 if(!k)
793 return;
794 k->entry.data = NULL;
795 if(!parse_copy_decompress_rrset(pkt, msg, rrset, NULL, k)) {
796 alloc_special_release(env->alloc, k);
797 return;
798 }
799 d = (struct packed_rrset_data*)k->entry.data;
800 packed_rrset_ttl_add(d, now);
801 ref.key = k;
802 ref.id = k->id;
803 /*ignore ret: it was in the cache, ref updated */
804 (void)rrset_cache_update(env->rrset_cache, &ref, env->alloc, now);
805 }
806
807 /**
808 * Check if right hand name in NSEC is within zone
809 * @param pkt: the packet buffer for decompression.
810 * @param rrset: the NSEC rrset
811 * @param zonename: the zone name.
812 * @return true if BAD.
813 */
sanitize_nsec_is_overreach(sldns_buffer * pkt,struct rrset_parse * rrset,uint8_t * zonename)814 static int sanitize_nsec_is_overreach(sldns_buffer* pkt,
815 struct rrset_parse* rrset, uint8_t* zonename)
816 {
817 struct rr_parse* rr;
818 uint8_t* rhs;
819 size_t len;
820 log_assert(rrset->type == LDNS_RR_TYPE_NSEC);
821 for(rr = rrset->rr_first; rr; rr = rr->next) {
822 size_t pos = sldns_buffer_position(pkt);
823 size_t rhspos;
824 rhs = rr->ttl_data+4+2;
825 len = sldns_read_uint16(rr->ttl_data+4);
826 rhspos = rhs-sldns_buffer_begin(pkt);
827 sldns_buffer_set_position(pkt, rhspos);
828 if(pkt_dname_len(pkt) == 0) {
829 /* malformed */
830 sldns_buffer_set_position(pkt, pos);
831 return 1;
832 }
833 if(sldns_buffer_position(pkt)-rhspos > len) {
834 /* outside of rdata boundaries */
835 sldns_buffer_set_position(pkt, pos);
836 return 1;
837 }
838 sldns_buffer_set_position(pkt, pos);
839 if(!pkt_sub(pkt, rhs, zonename)) {
840 /* overreaching */
841 return 1;
842 }
843 }
844 /* all NSEC RRs OK */
845 return 0;
846 }
847
848 /** Remove individual RRs, if the length is wrong. Returns true if the RRset
849 * has been removed. */
850 static int
scrub_sanitize_rr_length(sldns_buffer * pkt,struct msg_parse * msg,struct rrset_parse * prev,struct rrset_parse ** rrset,int * added_ede,struct module_qstate * qstate)851 scrub_sanitize_rr_length(sldns_buffer* pkt, struct msg_parse* msg,
852 struct rrset_parse* prev, struct rrset_parse** rrset, int* added_ede,
853 struct module_qstate* qstate)
854 {
855 struct rr_parse* rr, *rr_prev = NULL;
856 for(rr = (*rrset)->rr_first; rr; rr = rr->next) {
857
858 /* Sanity check for length of records
859 * An A record should be 6 bytes only
860 * (2 bytes for length and 4 for IPv4 addr)*/
861 if((*rrset)->type == LDNS_RR_TYPE_A && rr->size != 6 ) {
862 if(!*added_ede) {
863 *added_ede = 1;
864 errinf_ede(qstate, "sanitize: records of inappropriate length have been removed.",
865 LDNS_EDE_OTHER);
866 }
867 if(msgparse_rrset_remove_rr("sanitize: removing type A RR of inappropriate length:",
868 pkt, *rrset, rr_prev, rr, NULL, 0)) {
869 remove_rrset("sanitize: removing type A RRset of inappropriate length:",
870 pkt, msg, prev, rrset);
871 return 1;
872 }
873 continue;
874 }
875
876 /* Sanity check for length of records
877 * An AAAA record should be 18 bytes only
878 * (2 bytes for length and 16 for IPv6 addr)*/
879 if((*rrset)->type == LDNS_RR_TYPE_AAAA && rr->size != 18 ) {
880 if(!*added_ede) {
881 *added_ede = 1;
882 errinf_ede(qstate, "sanitize: records of inappropriate length have been removed.",
883 LDNS_EDE_OTHER);
884 }
885 if(msgparse_rrset_remove_rr("sanitize: removing type AAAA RR of inappropriate length:",
886 pkt, *rrset, rr_prev, rr, NULL, 0)) {
887 remove_rrset("sanitize: removing type AAAA RRset of inappropriate length:",
888 pkt, msg, prev, rrset);
889 return 1;
890 }
891 continue;
892 }
893 rr_prev = rr;
894 }
895 return 0;
896 }
897
898 /**
899 * Given a response event, remove suspect RRsets from the response.
900 * "Suspect" rrsets are potentially poison. Note that this routine expects
901 * the response to be in a "normalized" state -- that is, all "irrelevant"
902 * RRsets have already been removed, CNAMEs are in order, etc.
903 *
904 * @param pkt: packet.
905 * @param msg: msg to normalize.
906 * @param qinfo: the question originally asked.
907 * @param zonename: name of server zone.
908 * @param env: module environment with config and cache.
909 * @param ie: iterator environment with private address data.
910 * @param qstate: for setting errinf for EDE error messages.
911 * @return 0 on error.
912 */
913 static int
scrub_sanitize(sldns_buffer * pkt,struct msg_parse * msg,struct query_info * qinfo,uint8_t * zonename,struct module_env * env,struct iter_env * ie,struct module_qstate * qstate)914 scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
915 struct query_info* qinfo, uint8_t* zonename, struct module_env* env,
916 struct iter_env* ie, struct module_qstate* qstate)
917 {
918 int del_addi = 0; /* if additional-holding rrsets are deleted, we
919 do not trust the normalized additional-A-AAAA any more */
920 uint8_t* ns_rrset_dname = NULL;
921 int added_rrlen_ede = 0;
922 struct rrset_parse* rrset, *prev;
923 prev = NULL;
924 rrset = msg->rrset_first;
925
926 /* the first DNAME is allowed to stay. It needs checking before
927 * it can be used from the cache. After normalization, an initial
928 * DNAME will have a correctly synthesized CNAME after it. */
929 if(rrset && rrset->type == LDNS_RR_TYPE_DNAME &&
930 rrset->section == LDNS_SECTION_ANSWER &&
931 pkt_strict_sub(pkt, qinfo->qname, rrset->dname) &&
932 pkt_sub(pkt, rrset->dname, zonename)) {
933 prev = rrset; /* DNAME allowed to stay in answer section */
934 rrset = rrset->rrset_all_next;
935 }
936
937 /* remove all records from the answer section that are
938 * not the same domain name as the query domain name.
939 * The answer section should contain rrsets with the same name
940 * as the question. For DNAMEs a CNAME has been synthesized.
941 * Wildcards have the query name in answer section.
942 * ANY queries get query name in answer section.
943 * Remainders of CNAME chains are cut off and resolved by iterator. */
944 while(rrset && rrset->section == LDNS_SECTION_ANSWER) {
945 if(dname_pkt_compare(pkt, qinfo->qname, rrset->dname) != 0) {
946 if(has_additional(rrset->type)) del_addi = 1;
947 remove_rrset("sanitize: removing extraneous answer "
948 "RRset:", pkt, msg, prev, &rrset);
949 continue;
950 }
951 prev = rrset;
952 rrset = rrset->rrset_all_next;
953 }
954
955 /* At this point, we brutally remove ALL rrsets that aren't
956 * children of the originating zone. The idea here is that,
957 * as far as we know, the server that we contacted is ONLY
958 * authoritative for the originating zone. It, of course, MAY
959 * be authoritative for any other zones, and of course, MAY
960 * NOT be authoritative for some subdomains of the originating
961 * zone. */
962 prev = NULL;
963 rrset = msg->rrset_first;
964 while(rrset) {
965
966 /* Sanity check for length of records */
967 if(rrset->type == LDNS_RR_TYPE_A ||
968 rrset->type == LDNS_RR_TYPE_AAAA) {
969 if(scrub_sanitize_rr_length(pkt, msg, prev, &rrset,
970 &added_rrlen_ede, qstate))
971 continue;
972 }
973
974 /* remove private addresses */
975 if( (rrset->type == LDNS_RR_TYPE_A ||
976 rrset->type == LDNS_RR_TYPE_AAAA)) {
977
978 /* do not set servfail since this leads to too
979 * many drops of other people using rfc1918 space */
980 /* also do not remove entire rrset, unless all records
981 * in it are bad */
982 if(priv_rrset_bad(ie->priv, pkt, rrset)) {
983 remove_rrset(NULL, pkt, msg, prev, &rrset);
984 continue;
985 }
986 }
987
988 /* skip DNAME records -- they will always be followed by a
989 * synthesized CNAME, which will be relevant.
990 * FIXME: should this do something differently with DNAME
991 * rrsets NOT in Section.ANSWER? */
992 /* But since DNAME records are also subdomains of the zone,
993 * same check can be used */
994
995 if(!pkt_sub(pkt, rrset->dname, zonename)) {
996 if(msg->an_rrsets == 0 &&
997 rrset->type == LDNS_RR_TYPE_NS &&
998 rrset->section == LDNS_SECTION_AUTHORITY &&
999 FLAGS_GET_RCODE(msg->flags) ==
1000 LDNS_RCODE_NOERROR && !soa_in_auth(msg) &&
1001 sub_of_pkt(pkt, zonename, rrset->dname)) {
1002 /* noerror, nodata and this NS rrset is above
1003 * the zone. This is LAME!
1004 * Leave in the NS for lame classification. */
1005 /* remove everything from the additional
1006 * (we dont want its glue that was approved
1007 * during the normalize action) */
1008 del_addi = 1;
1009 } else if(!env->cfg->harden_glue && (
1010 rrset->type == LDNS_RR_TYPE_A ||
1011 rrset->type == LDNS_RR_TYPE_AAAA)) {
1012 /* store in cache! Since it is relevant
1013 * (from normalize) it will be picked up
1014 * from the cache to be used later */
1015 store_rrset(pkt, msg, env, rrset);
1016 remove_rrset("sanitize: storing potential "
1017 "poison RRset:", pkt, msg, prev, &rrset);
1018 continue;
1019 } else {
1020 if(has_additional(rrset->type)) del_addi = 1;
1021 remove_rrset("sanitize: removing potential "
1022 "poison RRset:", pkt, msg, prev, &rrset);
1023 continue;
1024 }
1025 }
1026 if(rrset->type == LDNS_RR_TYPE_NS &&
1027 (rrset->section == LDNS_SECTION_AUTHORITY ||
1028 rrset->section == LDNS_SECTION_ANSWER)) {
1029 /* If the type is NS, and we're in the
1030 * answer or authority section, then
1031 * store the dname so we can check
1032 * against the glue records
1033 * further down */
1034 ns_rrset_dname = rrset->dname;
1035 }
1036 if(del_addi && rrset->section == LDNS_SECTION_ADDITIONAL) {
1037 remove_rrset("sanitize: removing potential "
1038 "poison reference RRset:", pkt, msg, prev, &rrset);
1039 continue;
1040 }
1041 /* check if right hand side of NSEC is within zone */
1042 if(rrset->type == LDNS_RR_TYPE_NSEC &&
1043 sanitize_nsec_is_overreach(pkt, rrset, zonename)) {
1044 remove_rrset("sanitize: removing overreaching NSEC "
1045 "RRset:", pkt, msg, prev, &rrset);
1046 continue;
1047 }
1048 if(env->cfg->harden_unverified_glue && ns_rrset_dname &&
1049 rrset->section == LDNS_SECTION_ADDITIONAL &&
1050 (rrset->type == LDNS_RR_TYPE_A || rrset->type == LDNS_RR_TYPE_AAAA) &&
1051 !pkt_strict_sub(pkt, rrset->dname, ns_rrset_dname)) {
1052 /* We're in the additional section, looking
1053 * at an A/AAAA rrset, have a previous
1054 * delegation point and we notice that
1055 * the glue records are NOT for strict
1056 * subdomains of the delegation. So set a
1057 * flag, recompute the hash for the rrset
1058 * and write the A/AAAA record to cache.
1059 * It'll be retrieved if we can't separately
1060 * resolve the glue */
1061 rrset->flags = PACKED_RRSET_UNVERIFIED_GLUE;
1062 rrset->hash = pkt_hash_rrset(pkt, rrset->dname, rrset->type, rrset->rrset_class, rrset->flags);
1063 store_rrset(pkt, msg, env, rrset);
1064 remove_rrset("sanitize: storing potential "
1065 "unverified glue reference RRset:", pkt, msg, prev, &rrset);
1066 continue;
1067 }
1068 prev = rrset;
1069 rrset = rrset->rrset_all_next;
1070 }
1071 return 1;
1072 }
1073
1074 int
scrub_message(sldns_buffer * pkt,struct msg_parse * msg,struct query_info * qinfo,uint8_t * zonename,struct regional * region,struct module_env * env,struct module_qstate * qstate,struct iter_env * ie)1075 scrub_message(sldns_buffer* pkt, struct msg_parse* msg,
1076 struct query_info* qinfo, uint8_t* zonename, struct regional* region,
1077 struct module_env* env, struct module_qstate* qstate,
1078 struct iter_env* ie)
1079 {
1080 /* basic sanity checks */
1081 log_nametypeclass(VERB_ALGO, "scrub for", zonename, LDNS_RR_TYPE_NS,
1082 qinfo->qclass);
1083 if(msg->qdcount > 1)
1084 return 0;
1085 if( !(msg->flags&BIT_QR) )
1086 return 0;
1087 msg->flags &= ~(BIT_AD|BIT_Z); /* force off bit AD and Z */
1088
1089 /* make sure that a query is echoed back when NOERROR or NXDOMAIN */
1090 /* this is not required for basic operation but is a forgery
1091 * resistance (security) feature */
1092 if((FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR ||
1093 FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NXDOMAIN ||
1094 FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_YXDOMAIN) &&
1095 msg->qdcount == 0)
1096 return 0;
1097
1098 /* if a query is echoed back, make sure it is correct. Otherwise,
1099 * this may be not a reply to our query. */
1100 if(msg->qdcount == 1) {
1101 if(dname_pkt_compare(pkt, msg->qname, qinfo->qname) != 0)
1102 return 0;
1103 if(msg->qtype != qinfo->qtype || msg->qclass != qinfo->qclass)
1104 return 0;
1105 }
1106
1107 /* normalize the response, this cleans up the additional. */
1108 if(!scrub_normalize(pkt, msg, qinfo, region, env, zonename))
1109 return 0;
1110 /* delete all out-of-zone information */
1111 if(!scrub_sanitize(pkt, msg, qinfo, zonename, env, ie, qstate))
1112 return 0;
1113 return 1;
1114 }
1115