Project

General

Profile

Actions

Bug #4402

closed

Unbound: enable harden-glue by default and/or apply patch

Added by Olivier Müller almost 10 years ago. Updated over 9 years ago.

Status:
Resolved
Priority:
High
Category:
DNS Resolver
Target version:
Start date:
02/10/2015
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.2
Affected Architecture:

Description

DNS poisoning seems to be possible under 2.2 according to https://forum.pfsense.org/index.php?topic=87491.0.

Fix: enable "harden-glue: yes" in unbound.conf or apply the following patch from Unbound-Dev-Team member Wouter
(please see https://forum.pfsense.org/index.php?topic=87491.msg488694#msg488694 for details)

From today's http://unbound.nlnetlabs.nl/svn/trunk/doc/Changelog:

 10 February 2015: Wouter
    - Fix scrubber with harden-glue turned off to reject NS (and other
      not-address) records.

Patch:

Index: iterator/iter_scrub.c
===================================================================
--- iterator/iter_scrub.c       (revision 3329)
+++ iterator/iter_scrub.c       (working copy)
@@ -680,7 +680,9 @@
                                 * (we dont want its glue that was approved
                                 * during the normalize action) */
                                del_addi = 1;
-                       } else if(!env->cfg->harden_glue) {
+                       } else if(!env->cfg->harden_glue && (
+                               rrset->type == LDNS_RR_TYPE_A ||
+                               rrset->type == LDNS_RR_TYPE_AAAA)) {
                                /* store in cache! Since it is relevant
                                 * (from normalize) it will be picked up
                                 * from the cache to be used later */

Best regards.

Actions

Also available in: Atom PDF