Deleted Added
sdiff udiff text old ( 256281 ) new ( 269257 )
full compact
iter_scrub.c (256281) iter_scrub.c (269257)
1/*
2 * iterator/iter_scrub.c - scrubbing, normalization, sanitization of DNS msgs.
3 *
4 * Copyright (c) 2007, NLnet Labs. All rights reserved.
5 *
6 * This software is open source.
7 *
8 * Redistribution and use in source and binary forms, with or without

--- 7 unchanged lines hidden (view full) ---

16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
18 *
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
1/*
2 * iterator/iter_scrub.c - scrubbing, normalization, sanitization of DNS msgs.
3 *
4 * Copyright (c) 2007, NLnet Labs. All rights reserved.
5 *
6 * This software is open source.
7 *
8 * Redistribution and use in source and binary forms, with or without

--- 7 unchanged lines hidden (view full) ---

16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
18 *
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
25 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
26 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
27 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
28 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
29 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
30 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
31 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
32 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33 * POSSIBILITY OF SUCH DAMAGE.
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 */
35
36/**
37 * \file
38 *
39 * This file has routine(s) for cleaning up incoming DNS messages from
40 * possible useless or malicious junk in it.
41 */

--- 6 unchanged lines hidden (view full) ---

48#include "util/net_help.h"
49#include "util/regional.h"
50#include "util/config_file.h"
51#include "util/module.h"
52#include "util/data/msgparse.h"
53#include "util/data/dname.h"
54#include "util/data/msgreply.h"
55#include "util/alloc.h"
34 */
35
36/**
37 * \file
38 *
39 * This file has routine(s) for cleaning up incoming DNS messages from
40 * possible useless or malicious junk in it.
41 */

--- 6 unchanged lines hidden (view full) ---

48#include "util/net_help.h"
49#include "util/regional.h"
50#include "util/config_file.h"
51#include "util/module.h"
52#include "util/data/msgparse.h"
53#include "util/data/dname.h"
54#include "util/data/msgreply.h"
55#include "util/alloc.h"
56#include "ldns/sbuffer.h"
56
57/** RRset flag used during scrubbing. The RRset is OK. */
58#define RRSET_SCRUB_OK 0x80
59
60/** remove rrset, update loop variables */
61static void
57
58/** RRset flag used during scrubbing. The RRset is OK. */
59#define RRSET_SCRUB_OK 0x80
60
61/** remove rrset, update loop variables */
62static void
62remove_rrset(const char* str, ldns_buffer* pkt, struct msg_parse* msg,
63remove_rrset(const char* str, sldns_buffer* pkt, struct msg_parse* msg,
63 struct rrset_parse* prev, struct rrset_parse** rrset)
64{
64 struct rrset_parse* prev, struct rrset_parse** rrset)
65{
65 if(verbosity >= VERB_QUERY
66 if(verbosity >= VERB_QUERY && str
66 && (*rrset)->dname_len <= LDNS_MAX_DOMAINLEN) {
67 uint8_t buf[LDNS_MAX_DOMAINLEN+1];
68 dname_pkt_copy(pkt, buf, (*rrset)->dname);
69 log_nametypeclass(VERB_QUERY, str, buf,
70 (*rrset)->type, ntohs((*rrset)->rrset_class));
71 }
72 if(prev)
73 prev->rrset_all_next = (*rrset)->rrset_all_next;

--- 29 unchanged lines hidden (view full) ---

103 return 0;
104 }
105 return 0;
106}
107
108/** get additional name from rrset RR, return false if no name present */
109static int
110get_additional_name(struct rrset_parse* rrset, struct rr_parse* rr,
67 && (*rrset)->dname_len <= LDNS_MAX_DOMAINLEN) {
68 uint8_t buf[LDNS_MAX_DOMAINLEN+1];
69 dname_pkt_copy(pkt, buf, (*rrset)->dname);
70 log_nametypeclass(VERB_QUERY, str, buf,
71 (*rrset)->type, ntohs((*rrset)->rrset_class));
72 }
73 if(prev)
74 prev->rrset_all_next = (*rrset)->rrset_all_next;

--- 29 unchanged lines hidden (view full) ---

104 return 0;
105 }
106 return 0;
107}
108
109/** get additional name from rrset RR, return false if no name present */
110static int
111get_additional_name(struct rrset_parse* rrset, struct rr_parse* rr,
111 uint8_t** nm, size_t* nmlen, ldns_buffer* pkt)
112 uint8_t** nm, size_t* nmlen, sldns_buffer* pkt)
112{
113 size_t offset = 0;
114 size_t len, oldpos;
115 switch(rrset->type) {
116 case LDNS_RR_TYPE_MB:
117 case LDNS_RR_TYPE_MD:
118 case LDNS_RR_TYPE_MF:
119 case LDNS_RR_TYPE_NS:

--- 7 unchanged lines hidden (view full) ---

127 offset = 6;
128 break;
129 case LDNS_RR_TYPE_NAPTR:
130 /* TODO: NAPTR not supported, glue stripped off */
131 return 0;
132 default:
133 return 0;
134 }
113{
114 size_t offset = 0;
115 size_t len, oldpos;
116 switch(rrset->type) {
117 case LDNS_RR_TYPE_MB:
118 case LDNS_RR_TYPE_MD:
119 case LDNS_RR_TYPE_MF:
120 case LDNS_RR_TYPE_NS:

--- 7 unchanged lines hidden (view full) ---

128 offset = 6;
129 break;
130 case LDNS_RR_TYPE_NAPTR:
131 /* TODO: NAPTR not supported, glue stripped off */
132 return 0;
133 default:
134 return 0;
135 }
135 len = ldns_read_uint16(rr->ttl_data+sizeof(uint32_t));
136 len = sldns_read_uint16(rr->ttl_data+sizeof(uint32_t));
136 if(len < offset+1)
137 return 0; /* rdata field too small */
138 *nm = rr->ttl_data+sizeof(uint32_t)+sizeof(uint16_t)+offset;
137 if(len < offset+1)
138 return 0; /* rdata field too small */
139 *nm = rr->ttl_data+sizeof(uint32_t)+sizeof(uint16_t)+offset;
139 oldpos = ldns_buffer_position(pkt);
140 ldns_buffer_set_position(pkt, (size_t)(*nm - ldns_buffer_begin(pkt)));
140 oldpos = sldns_buffer_position(pkt);
141 sldns_buffer_set_position(pkt, (size_t)(*nm - sldns_buffer_begin(pkt)));
141 *nmlen = pkt_dname_len(pkt);
142 *nmlen = pkt_dname_len(pkt);
142 ldns_buffer_set_position(pkt, oldpos);
143 sldns_buffer_set_position(pkt, oldpos);
143 if(*nmlen == 0)
144 return 0;
145 return 1;
146}
147
148/** Place mark on rrsets in additional section they are OK */
149static void
144 if(*nmlen == 0)
145 return 0;
146 return 1;
147}
148
149/** Place mark on rrsets in additional section they are OK */
150static void
150mark_additional_rrset(ldns_buffer* pkt, struct msg_parse* msg,
151mark_additional_rrset(sldns_buffer* pkt, struct msg_parse* msg,
151 struct rrset_parse* rrset)
152{
153 /* Mark A and AAAA for NS as appropriate additional section info. */
154 uint8_t* nm = NULL;
155 size_t nmlen = 0;
156 struct rr_parse* rr;
157
158 if(!has_additional(rrset->type))

--- 45 unchanged lines hidden (view full) ---

204 + sizeof(uint16_t); /* skip ttl, rdatalen */
205 *snamelen = rrset->rr_first->size - sizeof(uint16_t);
206 return 1;
207}
208
209/** Synthesize CNAME from DNAME, false if too long */
210static int
211synth_cname(uint8_t* qname, size_t qnamelen, struct rrset_parse* dname_rrset,
152 struct rrset_parse* rrset)
153{
154 /* Mark A and AAAA for NS as appropriate additional section info. */
155 uint8_t* nm = NULL;
156 size_t nmlen = 0;
157 struct rr_parse* rr;
158
159 if(!has_additional(rrset->type))

--- 45 unchanged lines hidden (view full) ---

205 + sizeof(uint16_t); /* skip ttl, rdatalen */
206 *snamelen = rrset->rr_first->size - sizeof(uint16_t);
207 return 1;
208}
209
210/** Synthesize CNAME from DNAME, false if too long */
211static int
212synth_cname(uint8_t* qname, size_t qnamelen, struct rrset_parse* dname_rrset,
212 uint8_t* alias, size_t* aliaslen, ldns_buffer* pkt)
213 uint8_t* alias, size_t* aliaslen, sldns_buffer* pkt)
213{
214 /* we already know that sname is a strict subdomain of DNAME owner */
215 uint8_t* dtarg = NULL;
216 size_t dtarglen;
217 if(!parse_get_cname_target(dname_rrset, &dtarg, &dtarglen))
218 return 0;
219 log_assert(qnamelen > dname_rrset->dname_len);
220 /* DNAME from com. to net. with qname example.com. -> example.net. */

--- 7 unchanged lines hidden (view full) ---

228 return 1;
229}
230
231/** synthesize a CNAME rrset */
232static struct rrset_parse*
233synth_cname_rrset(uint8_t** sname, size_t* snamelen, uint8_t* alias,
234 size_t aliaslen, struct regional* region, struct msg_parse* msg,
235 struct rrset_parse* rrset, struct rrset_parse* prev,
214{
215 /* we already know that sname is a strict subdomain of DNAME owner */
216 uint8_t* dtarg = NULL;
217 size_t dtarglen;
218 if(!parse_get_cname_target(dname_rrset, &dtarg, &dtarglen))
219 return 0;
220 log_assert(qnamelen > dname_rrset->dname_len);
221 /* DNAME from com. to net. with qname example.com. -> example.net. */

--- 7 unchanged lines hidden (view full) ---

229 return 1;
230}
231
232/** synthesize a CNAME rrset */
233static struct rrset_parse*
234synth_cname_rrset(uint8_t** sname, size_t* snamelen, uint8_t* alias,
235 size_t aliaslen, struct regional* region, struct msg_parse* msg,
236 struct rrset_parse* rrset, struct rrset_parse* prev,
236 struct rrset_parse* nx, ldns_buffer* pkt)
237 struct rrset_parse* nx, sldns_buffer* pkt)
237{
238 struct rrset_parse* cn = (struct rrset_parse*)regional_alloc(region,
239 sizeof(struct rrset_parse));
240 if(!cn)
241 return NULL;
242 memset(cn, 0, sizeof(*cn));
243 cn->rr_first = (struct rr_parse*)regional_alloc(region,
244 sizeof(struct rr_parse));

--- 14 unchanged lines hidden (view full) ---

259 cn->hash=pkt_hash_rrset(pkt, cn->dname, cn->type, cn->rrset_class, 0);
260 /* allocate TTL + rdatalen + uncompressed dname */
261 memset(cn->rr_first, 0, sizeof(struct rr_parse));
262 cn->rr_first->outside_packet = 1;
263 cn->rr_first->ttl_data = (uint8_t*)regional_alloc(region,
264 sizeof(uint32_t)+sizeof(uint16_t)+aliaslen);
265 if(!cn->rr_first->ttl_data)
266 return NULL;
238{
239 struct rrset_parse* cn = (struct rrset_parse*)regional_alloc(region,
240 sizeof(struct rrset_parse));
241 if(!cn)
242 return NULL;
243 memset(cn, 0, sizeof(*cn));
244 cn->rr_first = (struct rr_parse*)regional_alloc(region,
245 sizeof(struct rr_parse));

--- 14 unchanged lines hidden (view full) ---

260 cn->hash=pkt_hash_rrset(pkt, cn->dname, cn->type, cn->rrset_class, 0);
261 /* allocate TTL + rdatalen + uncompressed dname */
262 memset(cn->rr_first, 0, sizeof(struct rr_parse));
263 cn->rr_first->outside_packet = 1;
264 cn->rr_first->ttl_data = (uint8_t*)regional_alloc(region,
265 sizeof(uint32_t)+sizeof(uint16_t)+aliaslen);
266 if(!cn->rr_first->ttl_data)
267 return NULL;
267 ldns_write_uint32(cn->rr_first->ttl_data, 0); /* TTL = 0 */
268 ldns_write_uint16(cn->rr_first->ttl_data+4, aliaslen);
268 sldns_write_uint32(cn->rr_first->ttl_data, 0); /* TTL = 0 */
269 sldns_write_uint16(cn->rr_first->ttl_data+4, aliaslen);
269 memmove(cn->rr_first->ttl_data+6, alias, aliaslen);
270 cn->rr_first->size = sizeof(uint16_t)+aliaslen;
271
272 /* link it in */
273 cn->rrset_all_next = nx;
274 if(prev)
275 prev->rrset_all_next = cn;
276 else msg->rrset_first = cn;

--- 5 unchanged lines hidden (view full) ---

282
283 *sname = cn->rr_first->ttl_data + sizeof(uint32_t)+sizeof(uint16_t);
284 *snamelen = aliaslen;
285 return cn;
286}
287
288/** check if DNAME applies to a name */
289static int
270 memmove(cn->rr_first->ttl_data+6, alias, aliaslen);
271 cn->rr_first->size = sizeof(uint16_t)+aliaslen;
272
273 /* link it in */
274 cn->rrset_all_next = nx;
275 if(prev)
276 prev->rrset_all_next = cn;
277 else msg->rrset_first = cn;

--- 5 unchanged lines hidden (view full) ---

283
284 *sname = cn->rr_first->ttl_data + sizeof(uint32_t)+sizeof(uint16_t);
285 *snamelen = aliaslen;
286 return cn;
287}
288
289/** check if DNAME applies to a name */
290static int
290pkt_strict_sub(ldns_buffer* pkt, uint8_t* sname, uint8_t* dr)
291pkt_strict_sub(sldns_buffer* pkt, uint8_t* sname, uint8_t* dr)
291{
292 uint8_t buf1[LDNS_MAX_DOMAINLEN+1];
293 uint8_t buf2[LDNS_MAX_DOMAINLEN+1];
294 /* decompress names */
295 dname_pkt_copy(pkt, buf1, sname);
296 dname_pkt_copy(pkt, buf2, dr);
297 return dname_strict_subdomain_c(buf1, buf2);
298}
299
300/** check subdomain with decompression */
301static int
292{
293 uint8_t buf1[LDNS_MAX_DOMAINLEN+1];
294 uint8_t buf2[LDNS_MAX_DOMAINLEN+1];
295 /* decompress names */
296 dname_pkt_copy(pkt, buf1, sname);
297 dname_pkt_copy(pkt, buf2, dr);
298 return dname_strict_subdomain_c(buf1, buf2);
299}
300
301/** check subdomain with decompression */
302static int
302pkt_sub(ldns_buffer* pkt, uint8_t* comprname, uint8_t* zone)
303pkt_sub(sldns_buffer* pkt, uint8_t* comprname, uint8_t* zone)
303{
304 uint8_t buf[LDNS_MAX_DOMAINLEN+1];
305 dname_pkt_copy(pkt, buf, comprname);
306 return dname_subdomain_c(buf, zone);
307}
308
309/** check subdomain with decompression, compressed is parent */
310static int
304{
305 uint8_t buf[LDNS_MAX_DOMAINLEN+1];
306 dname_pkt_copy(pkt, buf, comprname);
307 return dname_subdomain_c(buf, zone);
308}
309
310/** check subdomain with decompression, compressed is parent */
311static int
311sub_of_pkt(ldns_buffer* pkt, uint8_t* zone, uint8_t* comprname)
312sub_of_pkt(sldns_buffer* pkt, uint8_t* zone, uint8_t* comprname)
312{
313 uint8_t buf[LDNS_MAX_DOMAINLEN+1];
314 dname_pkt_copy(pkt, buf, comprname);
315 return dname_subdomain_c(zone, buf);
316}
317
318/**
319 * This routine normalizes a response. This includes removing "irrelevant"
320 * records from the answer and additional sections and (re)synthesizing
321 * CNAMEs from DNAMEs, if present.
322 *
323 * @param pkt: packet.
324 * @param msg: msg to normalize.
325 * @param qinfo: original query.
326 * @param region: where to allocate synthesized CNAMEs.
327 * @return 0 on error.
328 */
329static int
313{
314 uint8_t buf[LDNS_MAX_DOMAINLEN+1];
315 dname_pkt_copy(pkt, buf, comprname);
316 return dname_subdomain_c(zone, buf);
317}
318
319/**
320 * This routine normalizes a response. This includes removing "irrelevant"
321 * records from the answer and additional sections and (re)synthesizing
322 * CNAMEs from DNAMEs, if present.
323 *
324 * @param pkt: packet.
325 * @param msg: msg to normalize.
326 * @param qinfo: original query.
327 * @param region: where to allocate synthesized CNAMEs.
328 * @return 0 on error.
329 */
330static int
330scrub_normalize(ldns_buffer* pkt, struct msg_parse* msg,
331scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
331 struct query_info* qinfo, struct regional* region)
332{
333 uint8_t* sname = qinfo->qname;
334 size_t snamelen = qinfo->qname_len;
335 struct rrset_parse* rrset, *prev, *nsset=NULL;
336
337 if(FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_NOERROR &&
338 FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_NXDOMAIN)

--- 170 unchanged lines hidden (view full) ---

509 * So that it will be used for infrastructure purposes, but not be
510 * returned to the client.
511 * @param pkt: packet
512 * @param msg: message parsed
513 * @param env: environment with cache
514 * @param rrset: to store.
515 */
516static void
332 struct query_info* qinfo, struct regional* region)
333{
334 uint8_t* sname = qinfo->qname;
335 size_t snamelen = qinfo->qname_len;
336 struct rrset_parse* rrset, *prev, *nsset=NULL;
337
338 if(FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_NOERROR &&
339 FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_NXDOMAIN)

--- 170 unchanged lines hidden (view full) ---

510 * So that it will be used for infrastructure purposes, but not be
511 * returned to the client.
512 * @param pkt: packet
513 * @param msg: message parsed
514 * @param env: environment with cache
515 * @param rrset: to store.
516 */
517static void
517store_rrset(ldns_buffer* pkt, struct msg_parse* msg, struct module_env* env,
518store_rrset(sldns_buffer* pkt, struct msg_parse* msg, struct module_env* env,
518 struct rrset_parse* rrset)
519{
520 struct ub_packed_rrset_key* k;
521 struct packed_rrset_data* d;
522 struct rrset_ref ref;
519 struct rrset_parse* rrset)
520{
521 struct ub_packed_rrset_key* k;
522 struct packed_rrset_data* d;
523 struct rrset_ref ref;
523 uint32_t now = *env->now;
524 time_t now = *env->now;
524
525 k = alloc_special_obtain(env->alloc);
526 if(!k)
527 return;
528 k->entry.data = NULL;
529 if(!parse_copy_decompress_rrset(pkt, msg, rrset, NULL, k)) {
530 alloc_special_release(env->alloc, k);
531 return;

--- 28 unchanged lines hidden (view full) ---

560 uint8_t* zonename)
561{
562 struct rr_parse* rr;
563 uint8_t* rhs;
564 size_t len;
565 log_assert(rrset->type == LDNS_RR_TYPE_NSEC);
566 for(rr = rrset->rr_first; rr; rr = rr->next) {
567 rhs = rr->ttl_data+4+2;
525
526 k = alloc_special_obtain(env->alloc);
527 if(!k)
528 return;
529 k->entry.data = NULL;
530 if(!parse_copy_decompress_rrset(pkt, msg, rrset, NULL, k)) {
531 alloc_special_release(env->alloc, k);
532 return;

--- 28 unchanged lines hidden (view full) ---

561 uint8_t* zonename)
562{
563 struct rr_parse* rr;
564 uint8_t* rhs;
565 size_t len;
566 log_assert(rrset->type == LDNS_RR_TYPE_NSEC);
567 for(rr = rrset->rr_first; rr; rr = rr->next) {
568 rhs = rr->ttl_data+4+2;
568 len = ldns_read_uint16(rr->ttl_data+4);
569 len = sldns_read_uint16(rr->ttl_data+4);
569 if(!dname_valid(rhs, len)) {
570 /* malformed domain name in rdata */
571 return 1;
572 }
573 if(!dname_subdomain_c(rhs, zonename)) {
574 /* overreaching */
575 return 1;
576 }

--- 12 unchanged lines hidden (view full) ---

589 * @param msg: msg to normalize.
590 * @param qinfo: the question originally asked.
591 * @param zonename: name of server zone.
592 * @param env: module environment with config and cache.
593 * @param ie: iterator environment with private address data.
594 * @return 0 on error.
595 */
596static int
570 if(!dname_valid(rhs, len)) {
571 /* malformed domain name in rdata */
572 return 1;
573 }
574 if(!dname_subdomain_c(rhs, zonename)) {
575 /* overreaching */
576 return 1;
577 }

--- 12 unchanged lines hidden (view full) ---

590 * @param msg: msg to normalize.
591 * @param qinfo: the question originally asked.
592 * @param zonename: name of server zone.
593 * @param env: module environment with config and cache.
594 * @param ie: iterator environment with private address data.
595 * @return 0 on error.
596 */
597static int
597scrub_sanitize(ldns_buffer* pkt, struct msg_parse* msg,
598scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg,
598 struct query_info* qinfo, uint8_t* zonename, struct module_env* env,
599 struct iter_env* ie)
600{
601 int del_addi = 0; /* if additional-holding rrsets are deleted, we
602 do not trust the normalized additional-A-AAAA any more */
603 struct rrset_parse* rrset, *prev;
604 prev = NULL;
605 rrset = msg->rrset_first;

--- 35 unchanged lines hidden (view full) ---

641 * NOT be authoritative for some subdomains of the originating
642 * zone. */
643 prev = NULL;
644 rrset = msg->rrset_first;
645 while(rrset) {
646
647 /* remove private addresses */
648 if( (rrset->type == LDNS_RR_TYPE_A ||
599 struct query_info* qinfo, uint8_t* zonename, struct module_env* env,
600 struct iter_env* ie)
601{
602 int del_addi = 0; /* if additional-holding rrsets are deleted, we
603 do not trust the normalized additional-A-AAAA any more */
604 struct rrset_parse* rrset, *prev;
605 prev = NULL;
606 rrset = msg->rrset_first;

--- 35 unchanged lines hidden (view full) ---

642 * NOT be authoritative for some subdomains of the originating
643 * zone. */
644 prev = NULL;
645 rrset = msg->rrset_first;
646 while(rrset) {
647
648 /* remove private addresses */
649 if( (rrset->type == LDNS_RR_TYPE_A ||
649 rrset->type == LDNS_RR_TYPE_AAAA) &&
650 priv_rrset_bad(ie->priv, pkt, rrset)) {
650 rrset->type == LDNS_RR_TYPE_AAAA)) {
651
652 /* do not set servfail since this leads to too
653 * many drops of other people using rfc1918 space */
651
652 /* do not set servfail since this leads to too
653 * many drops of other people using rfc1918 space */
654 remove_rrset("sanitize: removing public name with "
655 "private address", pkt, msg, prev, &rrset);
656 continue;
654 /* also do not remove entire rrset, unless all records
655 * in it are bad */
656 if(priv_rrset_bad(ie->priv, pkt, rrset)) {
657 remove_rrset(NULL, pkt, msg, prev, &rrset);
658 continue;
659 }
657 }
658
659 /* skip DNAME records -- they will always be followed by a
660 * synthesized CNAME, which will be relevant.
661 * FIXME: should this do something differently with DNAME
662 * rrsets NOT in Section.ANSWER? */
663 /* But since DNAME records are also subdomains of the zone,
664 * same check can be used */

--- 41 unchanged lines hidden (view full) ---

706 }
707 prev = rrset;
708 rrset = rrset->rrset_all_next;
709 }
710 return 1;
711}
712
713int
660 }
661
662 /* skip DNAME records -- they will always be followed by a
663 * synthesized CNAME, which will be relevant.
664 * FIXME: should this do something differently with DNAME
665 * rrsets NOT in Section.ANSWER? */
666 /* But since DNAME records are also subdomains of the zone,
667 * same check can be used */

--- 41 unchanged lines hidden (view full) ---

709 }
710 prev = rrset;
711 rrset = rrset->rrset_all_next;
712 }
713 return 1;
714}
715
716int
714scrub_message(ldns_buffer* pkt, struct msg_parse* msg,
717scrub_message(sldns_buffer* pkt, struct msg_parse* msg,
715 struct query_info* qinfo, uint8_t* zonename, struct regional* region,
716 struct module_env* env, struct iter_env* ie)
717{
718 /* basic sanity checks */
719 log_nametypeclass(VERB_ALGO, "scrub for", zonename, LDNS_RR_TYPE_NS,
720 qinfo->qclass);
721 if(msg->qdcount > 1)
722 return 0;

--- 29 unchanged lines hidden --- 		718 struct query_info* qinfo, uint8_t* zonename, struct regional* region,
719 struct module_env* env, struct iter_env* ie)
720{
721 /* basic sanity checks */
722 log_nametypeclass(VERB_ALGO, "scrub for", zonename, LDNS_RR_TYPE_NS,
723 qinfo->qclass);
724 if(msg->qdcount > 1)
725 return 0;

--- 29 unchanged lines hidden ---