DNS/KnotResolver/CNAMEpatchについて、ここに記述してください。
https://gitlab.labs.nic.cz/knot/resolver/issues/38
- lib/iterate: do not trust in-bailiwick CNAME targets
The *.name CNAME or DNAME can be misused for in-bailiwick cache poisoning.
After the patch query log DNS/watchNS/vavrusa.com/CNAME-log
*** iterate.c 2015-10-19 17:09:52.517304816 +0900
--- iterate.c.orig 2015-10-19 17:08:37.741302152 +0900
***************
*** 351,358 ****
for (unsigned i = 0; i < an->count; ++i) {
/* @todo construct a CNAME chain closure and accept all names from that set */
const knot_rrset_t *rr = knot_pkt_rr(an, i);
! if (!knot_dname_is_equal(rr->owner, query->sname) /* &&
! !(follow_chain && knot_dname_is_equal(rr->owner, cname)) */ ) {
continue;
}
unsigned hint = 0;
--- 351,358 ----
for (unsigned i = 0; i < an->count; ++i) {
/* @todo construct a CNAME chain closure and accept all names from that set */
const knot_rrset_t *rr = knot_pkt_rr(an, i);
! if (!knot_dname_is_equal(rr->owner, query->sname) &&
! !(follow_chain && knot_dname_is_equal(rr->owner, cname))) {
continue;
}
unsigned hint = 0;*** rrcache.c 2015-10-21 15:27:20.850948200 +0900
--- rrcache.c.orig 2015-10-16 10:12:33.187877861 +0900
***************
*** 262,273 ****
kr_rrmap_add(stash, rr, KR_RANK_AUTH, pool);
/* Follow CNAME chain in current cut. */
if (rr->type == KNOT_RRTYPE_CNAME) {
- /*
const knot_dname_t *next_cname = knot_cname_name(&rr->rrs);
if (knot_dname_in(qry->zone_cut.name, next_cname)) {
cname = next_cname;
}
- */
} else if (rr->type != KNOT_RRTYPE_RRSIG) {
cname = qry->sname;
}
--- 262,271 ----