2 * iterator/iter_scrub.c - scrubbing, normalization, sanitization of DNS msgs.
4 * Copyright (c) 2007, NLnet Labs. All rights reserved.
6 * This software is open source.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 * This file has routine(s) for cleaning up incoming DNS messages from
40 * possible useless or malicious junk in it.
43 #include "iterator/iter_scrub.h"
44 #include "iterator/iterator.h"
45 #include "iterator/iter_priv.h"
46 #include "services/cache/rrset.h"
48 #include "util/net_help.h"
49 #include "util/regional.h"
50 #include "util/config_file.h"
51 #include "util/module.h"
52 #include "util/data/msgparse.h"
53 #include "util/data/dname.h"
54 #include "util/data/msgreply.h"
55 #include "util/alloc.h"
56 #include "sldns/sbuffer.h"
58 /** RRset flag used during scrubbing. The RRset is OK. */
59 #define RRSET_SCRUB_OK 0x80
61 /** remove rrset, update loop variables */
63 remove_rrset(const char* str, sldns_buffer* pkt, struct msg_parse* msg,
64 struct rrset_parse* prev, struct rrset_parse** rrset)
66 if(verbosity >= VERB_QUERY && str
67 && (*rrset)->dname_len <= LDNS_MAX_DOMAINLEN) {
68 uint8_t buf[LDNS_MAX_DOMAINLEN+1];
69 dname_pkt_copy(pkt, buf, (*rrset)->dname);
70 log_nametypeclass(VERB_QUERY, str, buf,
71 (*rrset)->type, ntohs((*rrset)->rrset_class));
74 prev->rrset_all_next = (*rrset)->rrset_all_next;
75 else msg->rrset_first = (*rrset)->rrset_all_next;
76 if(msg->rrset_last == *rrset)
77 msg->rrset_last = prev;
79 switch((*rrset)->section) {
80 case LDNS_SECTION_ANSWER: msg->an_rrsets--; break;
81 case LDNS_SECTION_AUTHORITY: msg->ns_rrsets--; break;
82 case LDNS_SECTION_ADDITIONAL: msg->ar_rrsets--; break;
83 default: log_assert(0);
85 msgparse_bucket_remove(msg, *rrset);
86 *rrset = (*rrset)->rrset_all_next;
89 /** return true if rr type has additional names in it */
91 has_additional(uint16_t t)
100 case LDNS_RR_TYPE_SRV:
102 case LDNS_RR_TYPE_NAPTR:
103 /* TODO: NAPTR not supported, glue stripped off */
109 /** get additional name from rrset RR, return false if no name present */
111 get_additional_name(struct rrset_parse* rrset, struct rr_parse* rr,
112 uint8_t** nm, size_t* nmlen, sldns_buffer* pkt)
116 switch(rrset->type) {
117 case LDNS_RR_TYPE_MB:
118 case LDNS_RR_TYPE_MD:
119 case LDNS_RR_TYPE_MF:
120 case LDNS_RR_TYPE_NS:
123 case LDNS_RR_TYPE_MX:
124 case LDNS_RR_TYPE_KX:
127 case LDNS_RR_TYPE_SRV:
130 case LDNS_RR_TYPE_NAPTR:
131 /* TODO: NAPTR not supported, glue stripped off */
136 len = sldns_read_uint16(rr->ttl_data+sizeof(uint32_t));
138 return 0; /* rdata field too small */
139 *nm = rr->ttl_data+sizeof(uint32_t)+sizeof(uint16_t)+offset;
140 oldpos = sldns_buffer_position(pkt);
141 sldns_buffer_set_position(pkt, (size_t)(*nm - sldns_buffer_begin(pkt)));
142 *nmlen = pkt_dname_len(pkt);
143 sldns_buffer_set_position(pkt, oldpos);
149 /** Place mark on rrsets in additional section they are OK */
151 mark_additional_rrset(sldns_buffer* pkt, struct msg_parse* msg,
152 struct rrset_parse* rrset)
154 /* Mark A and AAAA for NS as appropriate additional section info. */
159 if(!has_additional(rrset->type))
161 for(rr = rrset->rr_first; rr; rr = rr->next) {
162 if(get_additional_name(rrset, rr, &nm, &nmlen, pkt)) {
164 hashvalue_type h = pkt_hash_rrset(pkt, nm,
165 LDNS_RR_TYPE_A, rrset->rrset_class, 0);
166 struct rrset_parse* r = msgparse_hashtable_lookup(
167 msg, pkt, h, 0, nm, nmlen,
168 LDNS_RR_TYPE_A, rrset->rrset_class);
169 if(r && r->section == LDNS_SECTION_ADDITIONAL) {
170 r->flags |= RRSET_SCRUB_OK;
174 h = pkt_hash_rrset(pkt, nm, LDNS_RR_TYPE_AAAA,
175 rrset->rrset_class, 0);
176 r = msgparse_hashtable_lookup(msg, pkt, h, 0, nm,
177 nmlen, LDNS_RR_TYPE_AAAA, rrset->rrset_class);
178 if(r && r->section == LDNS_SECTION_ADDITIONAL) {
179 r->flags |= RRSET_SCRUB_OK;
185 /** Get target name of a CNAME */
187 parse_get_cname_target(struct rrset_parse* rrset, uint8_t** sname,
188 size_t* snamelen, sldns_buffer* pkt)
191 if(rrset->rr_count != 1) {
192 struct rr_parse* sig;
193 verbose(VERB_ALGO, "Found CNAME rrset with "
194 "size > 1: %u", (unsigned)rrset->rr_count);
195 /* use the first CNAME! */
197 rrset->size = rrset->rr_first->size;
198 for(sig=rrset->rrsig_first; sig; sig=sig->next)
199 rrset->size += sig->size;
200 rrset->rr_last = rrset->rr_first;
201 rrset->rr_first->next = NULL;
203 if(rrset->rr_first->size < sizeof(uint16_t)+1)
204 return 0; /* CNAME rdata too small */
205 *sname = rrset->rr_first->ttl_data + sizeof(uint32_t)
206 + sizeof(uint16_t); /* skip ttl, rdatalen */
207 *snamelen = rrset->rr_first->size - sizeof(uint16_t);
209 if(rrset->rr_first->outside_packet) {
210 if(!dname_valid(*sname, *snamelen))
214 oldpos = sldns_buffer_position(pkt);
215 sldns_buffer_set_position(pkt, (size_t)(*sname - sldns_buffer_begin(pkt)));
216 dlen = pkt_dname_len(pkt);
217 sldns_buffer_set_position(pkt, oldpos);
219 return 0; /* parse fail on the rdata name */
224 /** Synthesize CNAME from DNAME, false if too long */
226 synth_cname(uint8_t* qname, size_t qnamelen, struct rrset_parse* dname_rrset,
227 uint8_t* alias, size_t* aliaslen, sldns_buffer* pkt)
229 /* we already know that sname is a strict subdomain of DNAME owner */
230 uint8_t* dtarg = NULL;
232 if(!parse_get_cname_target(dname_rrset, &dtarg, &dtarglen, pkt))
234 if(qnamelen <= dname_rrset->dname_len)
238 log_assert(qnamelen > dname_rrset->dname_len);
239 /* DNAME from com. to net. with qname example.com. -> example.net. */
240 /* so: \3com\0 to \3net\0 and qname \7example\3com\0 */
241 *aliaslen = qnamelen + dtarglen - dname_rrset->dname_len;
242 if(*aliaslen > LDNS_MAX_DOMAINLEN)
243 return 0; /* should have been RCODE YXDOMAIN */
244 /* decompress dnames into buffer, we know it fits */
245 dname_pkt_copy(pkt, alias, qname);
246 dname_pkt_copy(pkt, alias+(qnamelen-dname_rrset->dname_len), dtarg);
250 /** synthesize a CNAME rrset */
251 static struct rrset_parse*
252 synth_cname_rrset(uint8_t** sname, size_t* snamelen, uint8_t* alias,
253 size_t aliaslen, struct regional* region, struct msg_parse* msg,
254 struct rrset_parse* rrset, struct rrset_parse* prev,
255 struct rrset_parse* nx, sldns_buffer* pkt)
257 struct rrset_parse* cn = (struct rrset_parse*)regional_alloc(region,
258 sizeof(struct rrset_parse));
261 memset(cn, 0, sizeof(*cn));
262 cn->rr_first = (struct rr_parse*)regional_alloc(region,
263 sizeof(struct rr_parse));
266 cn->rr_last = cn->rr_first;
267 /* CNAME from sname to alias */
268 cn->dname = (uint8_t*)regional_alloc(region, *snamelen);
271 dname_pkt_copy(pkt, cn->dname, *sname);
272 cn->dname_len = *snamelen;
273 cn->type = LDNS_RR_TYPE_CNAME;
274 cn->section = rrset->section;
275 cn->rrset_class = rrset->rrset_class;
277 cn->size = sizeof(uint16_t) + aliaslen;
278 cn->hash=pkt_hash_rrset(pkt, cn->dname, cn->type, cn->rrset_class, 0);
279 /* allocate TTL + rdatalen + uncompressed dname */
280 memset(cn->rr_first, 0, sizeof(struct rr_parse));
281 cn->rr_first->outside_packet = 1;
282 cn->rr_first->ttl_data = (uint8_t*)regional_alloc(region,
283 sizeof(uint32_t)+sizeof(uint16_t)+aliaslen);
284 if(!cn->rr_first->ttl_data)
286 sldns_write_uint32(cn->rr_first->ttl_data, 0); /* TTL = 0 */
287 sldns_write_uint16(cn->rr_first->ttl_data+4, aliaslen);
288 memmove(cn->rr_first->ttl_data+6, alias, aliaslen);
289 cn->rr_first->size = sizeof(uint16_t)+aliaslen;
292 cn->rrset_all_next = nx;
294 prev->rrset_all_next = cn;
295 else msg->rrset_first = cn;
297 msg->rrset_last = cn;
300 /* it is not inserted in the msg hashtable. */
302 *sname = cn->rr_first->ttl_data + sizeof(uint32_t)+sizeof(uint16_t);
303 *snamelen = aliaslen;
307 /** check if DNAME applies to a name */
309 pkt_strict_sub(sldns_buffer* pkt, uint8_t* sname, uint8_t* dr)
311 uint8_t buf1[LDNS_MAX_DOMAINLEN+1];
312 uint8_t buf2[LDNS_MAX_DOMAINLEN+1];
313 /* decompress names */
314 dname_pkt_copy(pkt, buf1, sname);
315 dname_pkt_copy(pkt, buf2, dr);
316 return dname_strict_subdomain_c(buf1, buf2);
319 /** check subdomain with decompression */
321 pkt_sub(sldns_buffer* pkt, uint8_t* comprname, uint8_t* zone)
323 uint8_t buf[LDNS_MAX_DOMAINLEN+1];
324 dname_pkt_copy(pkt, buf, comprname);
325 return dname_subdomain_c(buf, zone);
328 /** check subdomain with decompression, compressed is parent */
330 sub_of_pkt(sldns_buffer* pkt, uint8_t* zone, uint8_t* comprname)
332 uint8_t buf[LDNS_MAX_DOMAINLEN+1];
333 dname_pkt_copy(pkt, buf, comprname);
334 return dname_subdomain_c(zone, buf);
337 /** Check if there are SOA records in the authority section (negative) */
339 soa_in_auth(struct msg_parse* msg)
341 struct rrset_parse* rrset;
342 for(rrset = msg->rrset_first; rrset; rrset = rrset->rrset_all_next)
343 if(rrset->type == LDNS_RR_TYPE_SOA &&
344 rrset->section == LDNS_SECTION_AUTHORITY)
350 * This routine normalizes a response. This includes removing "irrelevant"
351 * records from the answer and additional sections and (re)synthesizing
352 * CNAMEs from DNAMEs, if present.
354 * @param pkt: packet.
355 * @param msg: msg to normalize.
356 * @param qinfo: original query.
357 * @param region: where to allocate synthesized CNAMEs.
358 * @return 0 on error.
361 scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
362 struct query_info* qinfo, struct regional* region)
364 uint8_t* sname = qinfo->qname;
365 size_t snamelen = qinfo->qname_len;
366 struct rrset_parse* rrset, *prev, *nsset=NULL;
368 if(FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_NOERROR &&
369 FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_NXDOMAIN)
372 /* For the ANSWER section, remove all "irrelevant" records and add
373 * synthesized CNAMEs from DNAMEs
374 * This will strip out-of-order CNAMEs as well. */
376 /* walk through the parse packet rrset list, keep track of previous
377 * for insert and delete ease, and examine every RRset */
379 rrset = msg->rrset_first;
380 while(rrset && rrset->section == LDNS_SECTION_ANSWER) {
381 if(rrset->type == LDNS_RR_TYPE_DNAME &&
382 pkt_strict_sub(pkt, sname, rrset->dname)) {
383 /* check if next rrset is correct CNAME. else,
384 * synthesize a CNAME */
385 struct rrset_parse* nx = rrset->rrset_all_next;
386 uint8_t alias[LDNS_MAX_DOMAINLEN+1];
388 if(rrset->rr_count != 1) {
389 verbose(VERB_ALGO, "Found DNAME rrset with "
391 (unsigned)rrset->rr_count);
394 if(!synth_cname(sname, snamelen, rrset, alias,
396 verbose(VERB_ALGO, "synthesized CNAME "
400 if(nx && nx->type == LDNS_RR_TYPE_CNAME &&
401 dname_pkt_compare(pkt, sname, nx->dname) == 0) {
402 /* check next cname */
405 if(!parse_get_cname_target(nx, &t, &tlen, pkt))
407 if(dname_pkt_compare(pkt, alias, t) == 0) {
408 /* it's OK and better capitalized */
413 /* synth ourselves */
415 /* synth a CNAME rrset */
416 prev = synth_cname_rrset(&sname, &snamelen, alias,
417 aliaslen, region, msg, rrset, rrset, nx, pkt);
419 log_err("out of memory synthesizing CNAME");
422 /* FIXME: resolve the conflict between synthesized
423 * CNAME ttls and the cache. */
429 /* The only records in the ANSWER section not allowed to */
430 if(dname_pkt_compare(pkt, sname, rrset->dname) != 0) {
431 remove_rrset("normalize: removing irrelevant RRset:",
432 pkt, msg, prev, &rrset);
436 /* Follow the CNAME chain. */
437 if(rrset->type == LDNS_RR_TYPE_CNAME) {
438 struct rrset_parse* nx = rrset->rrset_all_next;
439 uint8_t* oldsname = sname;
440 /* see if the next one is a DNAME, if so, swap them */
441 if(nx && nx->section == LDNS_SECTION_ANSWER &&
442 nx->type == LDNS_RR_TYPE_DNAME &&
444 pkt_strict_sub(pkt, sname, nx->dname)) {
445 /* there is a DNAME after this CNAME, it
446 * is in the ANSWER section, and the DNAME
447 * applies to the name we cover */
448 /* check if the alias of the DNAME equals
450 uint8_t alias[LDNS_MAX_DOMAINLEN+1];
454 if(synth_cname(sname, snamelen, nx, alias,
456 parse_get_cname_target(rrset, &t, &tlen, pkt) &&
457 dname_pkt_compare(pkt, alias, t) == 0) {
458 /* the synthesized CNAME equals the
459 * current CNAME. This CNAME is the
460 * one that the DNAME creates, and this
461 * CNAME is better capitalised */
462 verbose(VERB_ALGO, "normalize: re-order of DNAME and its CNAME");
463 if(prev) prev->rrset_all_next = nx;
464 else msg->rrset_first = nx;
465 if(nx->rrset_all_next == NULL)
466 msg->rrset_last = rrset;
467 rrset->rrset_all_next =
469 nx->rrset_all_next = rrset;
470 /* prev = nx; unused, enable if there
471 * is other rrset removal code after
476 /* move to next name in CNAME chain */
477 if(!parse_get_cname_target(rrset, &sname, &snamelen, pkt))
480 rrset = rrset->rrset_all_next;
481 /* in CNAME ANY response, can have data after CNAME */
482 if(qinfo->qtype == LDNS_RR_TYPE_ANY) {
483 while(rrset && rrset->section ==
484 LDNS_SECTION_ANSWER &&
485 dname_pkt_compare(pkt, oldsname,
486 rrset->dname) == 0) {
488 rrset = rrset->rrset_all_next;
494 /* Otherwise, make sure that the RRset matches the qtype. */
495 if(qinfo->qtype != LDNS_RR_TYPE_ANY &&
496 qinfo->qtype != rrset->type) {
497 remove_rrset("normalize: removing irrelevant RRset:",
498 pkt, msg, prev, &rrset);
502 /* Mark the additional names from relevant rrset as OK. */
503 /* only for RRsets that match the query name, other ones
504 * will be removed by sanitize, so no additional for them */
505 if(dname_pkt_compare(pkt, qinfo->qname, rrset->dname) == 0)
506 mark_additional_rrset(pkt, msg, rrset);
509 rrset = rrset->rrset_all_next;
512 /* Mark additional names from AUTHORITY */
513 while(rrset && rrset->section == LDNS_SECTION_AUTHORITY) {
514 if(rrset->type==LDNS_RR_TYPE_DNAME ||
515 rrset->type==LDNS_RR_TYPE_CNAME ||
516 rrset->type==LDNS_RR_TYPE_A ||
517 rrset->type==LDNS_RR_TYPE_AAAA) {
518 remove_rrset("normalize: removing irrelevant "
519 "RRset:", pkt, msg, prev, &rrset);
522 /* only one NS set allowed in authority section */
523 if(rrset->type==LDNS_RR_TYPE_NS) {
524 /* NS set must be pertinent to the query */
525 if(!sub_of_pkt(pkt, qinfo->qname, rrset->dname)) {
526 remove_rrset("normalize: removing irrelevant "
527 "RRset:", pkt, msg, prev, &rrset);
530 /* we don't want NS sets for NXDOMAIN answers,
531 * because they could contain poisonous contents,
532 * from. eg. fragmentation attacks, inserted after
533 * long RRSIGs in the packet get to the packet
535 /* also for NODATA answers */
536 if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NXDOMAIN ||
537 (FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR
538 && soa_in_auth(msg) && msg->an_rrsets == 0)) {
539 remove_rrset("normalize: removing irrelevant "
540 "RRset:", pkt, msg, prev, &rrset);
546 remove_rrset("normalize: removing irrelevant "
547 "RRset:", pkt, msg, prev, &rrset);
551 /* if this is type DS and we query for type DS we just got
552 * a referral answer for our type DS query, fix packet */
553 if(rrset->type==LDNS_RR_TYPE_DS &&
554 qinfo->qtype == LDNS_RR_TYPE_DS &&
555 dname_pkt_compare(pkt, qinfo->qname, rrset->dname) == 0) {
556 rrset->section = LDNS_SECTION_ANSWER;
557 msg->ancount = rrset->rr_count + rrset->rrsig_count;
563 msg->rrset_count = 1;
564 msg->rrset_first = rrset;
565 msg->rrset_last = rrset;
566 rrset->rrset_all_next = NULL;
569 mark_additional_rrset(pkt, msg, rrset);
571 rrset = rrset->rrset_all_next;
574 /* For each record in the additional section, remove it if it is an
575 * address record and not in the collection of additional names
576 * found in ANSWER and AUTHORITY. */
577 /* These records have not been marked OK previously */
578 while(rrset && rrset->section == LDNS_SECTION_ADDITIONAL) {
579 /* FIXME: what about other types? */
580 if(rrset->type==LDNS_RR_TYPE_A ||
581 rrset->type==LDNS_RR_TYPE_AAAA)
583 if((rrset->flags & RRSET_SCRUB_OK)) {
584 /* remove flag to clean up flags variable */
585 rrset->flags &= ~RRSET_SCRUB_OK;
587 remove_rrset("normalize: removing irrelevant "
588 "RRset:", pkt, msg, prev, &rrset);
592 if(rrset->type==LDNS_RR_TYPE_DNAME ||
593 rrset->type==LDNS_RR_TYPE_CNAME ||
594 rrset->type==LDNS_RR_TYPE_NS) {
595 remove_rrset("normalize: removing irrelevant "
596 "RRset:", pkt, msg, prev, &rrset);
600 rrset = rrset->rrset_all_next;
607 * Store potential poison in the cache (only if hardening disabled).
608 * The rrset is stored in the cache but removed from the message.
609 * So that it will be used for infrastructure purposes, but not be
610 * returned to the client.
612 * @param msg: message parsed
613 * @param env: environment with cache
614 * @param rrset: to store.
617 store_rrset(sldns_buffer* pkt, struct msg_parse* msg, struct module_env* env,
618 struct rrset_parse* rrset)
620 struct ub_packed_rrset_key* k;
621 struct packed_rrset_data* d;
622 struct rrset_ref ref;
623 time_t now = *env->now;
625 k = alloc_special_obtain(env->alloc);
628 k->entry.data = NULL;
629 if(!parse_copy_decompress_rrset(pkt, msg, rrset, NULL, k)) {
630 alloc_special_release(env->alloc, k);
633 d = (struct packed_rrset_data*)k->entry.data;
634 packed_rrset_ttl_add(d, now);
637 /*ignore ret: it was in the cache, ref updated */
638 (void)rrset_cache_update(env->rrset_cache, &ref, env->alloc, now);
642 * Check if right hand name in NSEC is within zone
643 * @param pkt: the packet buffer for decompression.
644 * @param rrset: the NSEC rrset
645 * @param zonename: the zone name.
646 * @return true if BAD.
648 static int sanitize_nsec_is_overreach(sldns_buffer* pkt,
649 struct rrset_parse* rrset, uint8_t* zonename)
654 log_assert(rrset->type == LDNS_RR_TYPE_NSEC);
655 for(rr = rrset->rr_first; rr; rr = rr->next) {
656 size_t pos = sldns_buffer_position(pkt);
658 rhs = rr->ttl_data+4+2;
659 len = sldns_read_uint16(rr->ttl_data+4);
660 rhspos = rhs-sldns_buffer_begin(pkt);
661 sldns_buffer_set_position(pkt, rhspos);
662 if(pkt_dname_len(pkt) == 0) {
664 sldns_buffer_set_position(pkt, pos);
667 if(sldns_buffer_position(pkt)-rhspos > len) {
668 /* outside of rdata boundaries */
669 sldns_buffer_set_position(pkt, pos);
672 sldns_buffer_set_position(pkt, pos);
673 if(!pkt_sub(pkt, rhs, zonename)) {
678 /* all NSEC RRs OK */
683 * Given a response event, remove suspect RRsets from the response.
684 * "Suspect" rrsets are potentially poison. Note that this routine expects
685 * the response to be in a "normalized" state -- that is, all "irrelevant"
686 * RRsets have already been removed, CNAMEs are in order, etc.
688 * @param pkt: packet.
689 * @param msg: msg to normalize.
690 * @param qinfo: the question originally asked.
691 * @param zonename: name of server zone.
692 * @param env: module environment with config and cache.
693 * @param ie: iterator environment with private address data.
694 * @return 0 on error.
697 scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
698 struct query_info* qinfo, uint8_t* zonename, struct module_env* env,
701 int del_addi = 0; /* if additional-holding rrsets are deleted, we
702 do not trust the normalized additional-A-AAAA any more */
703 struct rrset_parse* rrset, *prev;
705 rrset = msg->rrset_first;
707 /* the first DNAME is allowed to stay. It needs checking before
708 * it can be used from the cache. After normalization, an initial
709 * DNAME will have a correctly synthesized CNAME after it. */
710 if(rrset && rrset->type == LDNS_RR_TYPE_DNAME &&
711 rrset->section == LDNS_SECTION_ANSWER &&
712 pkt_strict_sub(pkt, qinfo->qname, rrset->dname) &&
713 pkt_sub(pkt, rrset->dname, zonename)) {
714 prev = rrset; /* DNAME allowed to stay in answer section */
715 rrset = rrset->rrset_all_next;
718 /* remove all records from the answer section that are
719 * not the same domain name as the query domain name.
720 * The answer section should contain rrsets with the same name
721 * as the question. For DNAMEs a CNAME has been synthesized.
722 * Wildcards have the query name in answer section.
723 * ANY queries get query name in answer section.
724 * Remainders of CNAME chains are cut off and resolved by iterator. */
725 while(rrset && rrset->section == LDNS_SECTION_ANSWER) {
726 if(dname_pkt_compare(pkt, qinfo->qname, rrset->dname) != 0) {
727 if(has_additional(rrset->type)) del_addi = 1;
728 remove_rrset("sanitize: removing extraneous answer "
729 "RRset:", pkt, msg, prev, &rrset);
733 rrset = rrset->rrset_all_next;
736 /* At this point, we brutally remove ALL rrsets that aren't
737 * children of the originating zone. The idea here is that,
738 * as far as we know, the server that we contacted is ONLY
739 * authoritative for the originating zone. It, of course, MAY
740 * be authoritative for any other zones, and of course, MAY
741 * NOT be authoritative for some subdomains of the originating
744 rrset = msg->rrset_first;
747 /* remove private addresses */
748 if( (rrset->type == LDNS_RR_TYPE_A ||
749 rrset->type == LDNS_RR_TYPE_AAAA)) {
751 /* do not set servfail since this leads to too
752 * many drops of other people using rfc1918 space */
753 /* also do not remove entire rrset, unless all records
755 if(priv_rrset_bad(ie->priv, pkt, rrset)) {
756 remove_rrset(NULL, pkt, msg, prev, &rrset);
761 /* skip DNAME records -- they will always be followed by a
762 * synthesized CNAME, which will be relevant.
763 * FIXME: should this do something differently with DNAME
764 * rrsets NOT in Section.ANSWER? */
765 /* But since DNAME records are also subdomains of the zone,
766 * same check can be used */
768 if(!pkt_sub(pkt, rrset->dname, zonename)) {
769 if(msg->an_rrsets == 0 &&
770 rrset->type == LDNS_RR_TYPE_NS &&
771 rrset->section == LDNS_SECTION_AUTHORITY &&
772 FLAGS_GET_RCODE(msg->flags) ==
773 LDNS_RCODE_NOERROR && !soa_in_auth(msg) &&
774 sub_of_pkt(pkt, zonename, rrset->dname)) {
775 /* noerror, nodata and this NS rrset is above
776 * the zone. This is LAME!
777 * Leave in the NS for lame classification. */
778 /* remove everything from the additional
779 * (we dont want its glue that was approved
780 * during the normalize action) */
782 } else if(!env->cfg->harden_glue && (
783 rrset->type == LDNS_RR_TYPE_A ||
784 rrset->type == LDNS_RR_TYPE_AAAA)) {
785 /* store in cache! Since it is relevant
786 * (from normalize) it will be picked up
787 * from the cache to be used later */
788 store_rrset(pkt, msg, env, rrset);
789 remove_rrset("sanitize: storing potential "
790 "poison RRset:", pkt, msg, prev, &rrset);
793 if(has_additional(rrset->type)) del_addi = 1;
794 remove_rrset("sanitize: removing potential "
795 "poison RRset:", pkt, msg, prev, &rrset);
799 if(del_addi && rrset->section == LDNS_SECTION_ADDITIONAL) {
800 remove_rrset("sanitize: removing potential "
801 "poison reference RRset:", pkt, msg, prev, &rrset);
804 /* check if right hand side of NSEC is within zone */
805 if(rrset->type == LDNS_RR_TYPE_NSEC &&
806 sanitize_nsec_is_overreach(pkt, rrset, zonename)) {
807 remove_rrset("sanitize: removing overreaching NSEC "
808 "RRset:", pkt, msg, prev, &rrset);
812 rrset = rrset->rrset_all_next;
818 scrub_message(sldns_buffer* pkt, struct msg_parse* msg,
819 struct query_info* qinfo, uint8_t* zonename, struct regional* region,
820 struct module_env* env, struct iter_env* ie)
822 /* basic sanity checks */
823 log_nametypeclass(VERB_ALGO, "scrub for", zonename, LDNS_RR_TYPE_NS,
827 if( !(msg->flags&BIT_QR) )
829 msg->flags &= ~(BIT_AD|BIT_Z); /* force off bit AD and Z */
831 /* make sure that a query is echoed back when NOERROR or NXDOMAIN */
832 /* this is not required for basic operation but is a forgery
833 * resistance (security) feature */
834 if((FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR ||
835 FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NXDOMAIN) &&
839 /* if a query is echoed back, make sure it is correct. Otherwise,
840 * this may be not a reply to our query. */
841 if(msg->qdcount == 1) {
842 if(dname_pkt_compare(pkt, msg->qname, qinfo->qname) != 0)
844 if(msg->qtype != qinfo->qtype || msg->qclass != qinfo->qclass)
848 /* normalize the response, this cleans up the additional. */
849 if(!scrub_normalize(pkt, msg, qinfo, region))
851 /* delete all out-of-zone information */
852 if(!scrub_sanitize(pkt, msg, qinfo, zonename, env, ie))