Skip to content

Commit

Permalink
Rework validate-by-DS to avoid DoS vuln without arbitrary limits.
Browse files Browse the repository at this point in the history 
By calculating the hash of a DNSKEY once for each digest algo,
we reduce the hashing work from (no. DS) x (no. DNSKEY) to
(no. DNSKEY) x (no. distinct digests)

The number of distinct digests can never be more than 255 and
it's limited by which hashes we implement, so currently only 4.

Signed-off-by: DL6ER <dl6er@dl6er.de>
  • Loading branch information
@simonkelley @DL6ER
simonkelley authored and DL6ER committed Feb 13, 2024
1 parent 8b9c5d3 commit 0ce9541
Show file tree
Hide file tree
Showing 5 changed files with 149 additions and 165 deletions.
6 changes: 2 additions & 4 deletions src/dnsmasq/config.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,10 +23,8 @@
#define SAFE_PKTSZ 1232 /* "go anywhere" UDP packet size, see https://dnsflagday.net/2020/ */
#define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */
#define DNSSEC_WORK 50 /* Max number of queries to validate one question */
#define LIMIT_KEY_FAIL 15 /* Number of keys that can fail DS validate in one an answer. */
#define LIMIT_DS_FAIL 5 /* Number of DS records that can fail to validate a key in one answer */
#define LIMIT_SIG_FAIL 10 /* Number of signature that can fail to validate in one answer */
#define LIMIT_CRYPTO 40 /* max no. of crypto operations to validate one a query. */
#define LIMIT_SIG_FAIL 20 /* Number of signature that can fail to validate in one answer */
#define LIMIT_CRYPTO 200 /* max no. of crypto operations to validate one a query. */
#define LIMIT_NSEC3_ITERS 150 /* Max. number if iterations allow in NSEC3 record. */
#define TIMEOUT 10 /* drop UDP queries after TIMEOUT seconds */
#define SMALL_PORT_RANGE 30 /* If DNS port range is smaller than this, use different allocation. */
Expand Down
2 changes: 1 addition & 1 deletion src/dnsmasq/dnsmasq.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1249,7 +1249,7 @@ extern struct daemon {
int rr_status_sz;
int dnssec_no_time_check;
int back_to_the_future;
int limit_key_fail, limit_ds_fail, limit_sig_fail, limit_crypto, limit_work, limit_nsec3_iters;
int limit_sig_fail, limit_crypto, limit_work, limit_nsec3_iters;
#endif
struct frec *frec_list;
struct frec_src *free_frec_src;
Expand Down
Loading

0 comments on commit 0ce9541

Please sign in to comment.