From 13568961ecdf5edd12644c1ff1d3c2b9e8823c4b Mon Sep 17 00:00:00 2001 From: Jeffrey Altman Date: Sat, 26 Dec 2015 23:33:10 -0500 Subject: [PATCH] krb5: DNS A record fallback test for invalid gTLD As per https://www.icann.org/en/system/files/files/name-collision-mitigation-01aug14-en.pdf prior to a new top-level domain being put into service there is controlled interuption service which will return explicit responses to DNS A, MX, SRV, and TXT queries that can be used to detect private namespace collisions. When performing fallback_get_hosts() check the AF_INET responses to ensure that they are not the gTLD name collision address 127.0.53.53. If so, add an error message to the context and return KRB5_KDC_UNREACH. Write a warning to the log (if any). Change-Id: I2578f13948b8327cc3f06542c1e489f02410143a --- lib/krb5/krbhst.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/lib/krb5/krbhst.c b/lib/krb5/krbhst.c index a196c0a03..5fb4b520b 100644 --- a/lib/krb5/krbhst.c +++ b/lib/krb5/krbhst.c @@ -545,7 +545,7 @@ fallback_get_hosts(krb5_context context, struct krb5_krbhst_data *kd, serv_string, kd->fallback_count, kd->realm); if (ret < 0 || host == NULL) - return ENOMEM; + return krb5_enomem(context); make_hints(&hints, proto); snprintf(portstr, sizeof(portstr), "%d", port); @@ -556,12 +556,26 @@ fallback_get_hosts(krb5_context context, struct krb5_krbhst_data *kd, kd->flags |= KD_FALLBACK; } else { struct krb5_krbhst_info *hi; - size_t hostlen = strlen(host); + size_t hostlen; + /* Check for ICANN gTLD Name Collision address (127.0.53.53) */ + if (ai->ai_family == AF_INET) { + struct sockaddr_in *sin = (struct sockaddr_in *)ai->ai_addr; + if (sin->sin_addr.s_addr == htonl(0x7f003535)) { + krb5_warnx(context, + "Fallback lookup failed: " + "Realm %s needs immediate attention " + "see https://icann.org/namecollision", + kd->realm); + return KRB5_KDC_UNREACH; + } + } + + hostlen = strlen(host); hi = calloc(1, sizeof(*hi) + hostlen); if(hi == NULL) { free(host); - return ENOMEM; + return krb5_enomem(context); } hi->proto = proto;