krb5: DNS A record fallback test for invalid gTLD

As per https://www.icann.org/en/system/files/files/name-collision-mitigation-01aug14-en.pdf prior to a new top-level domain being put into service there is controlled interuption service which will return explicit responses to DNS A, MX, SRV, and TXT queries that can be used to detect private namespace collisions. When performing fallback_get_hosts() check the AF_INET responses to ensure that they are not the gTLD name collision address 127.0.53.53. If so, add an error message to the context and return KRB5_KDC_UNREACH. Write a warning to the log (if any). Change-Id: I2578f13948b8327cc3f06542c1e489f02410143a
2015-12-26 23:33:10 -05:00
parent 4b45355162
commit 13568961ec
1 changed files with 17 additions and 3 deletions
--- a/lib/krb5/krbhst.c
+++ b/lib/krb5/krbhst.c
@@ -545,7 +545,7 @@ fallback_get_hosts(krb5_context context, struct krb5_krbhst_data *kd,
 		       serv_string, kd->fallback_count, kd->realm);

    if (ret < 0 || host == NULL)
-	return ENOMEM;
+	return krb5_enomem(context);

    make_hints(&hints, proto);
    snprintf(portstr, sizeof(portstr), "%d", port);
@@ -556,12 +556,26 @@ fallback_get_hosts(krb5_context context, struct krb5_krbhst_data *kd,
 	kd->flags |= KD_FALLBACK;
    } else {
 	struct krb5_krbhst_info *hi;
-	size_t hostlen = strlen(host);
+	size_t hostlen;

+	/* Check for ICANN gTLD Name Collision address (127.0.53.53) */
+	if (ai->ai_family == AF_INET) {
+	    struct sockaddr_in *sin = (struct sockaddr_in *)ai->ai_addr;
+	    if (sin->sin_addr.s_addr == htonl(0x7f003535)) {
+		krb5_warnx(context,
+			   "Fallback lookup failed: "
+			   "Realm %s needs immediate attention "
+			   "see https://icann.org/namecollision",
+			   kd->realm);
+		return KRB5_KDC_UNREACH;
+	    }
+	}
+
+	hostlen = strlen(host);
 	hi = calloc(1, sizeof(*hi) + hostlen);
 	if(hi == NULL) {
 	    free(host);
-	    return ENOMEM;
+	    return krb5_enomem(context);
 	}

 	hi->proto = proto;