From 4b45355162371d2692e7bb6b8c3ad5e730885556 Mon Sep 17 00:00:00 2001 From: Jeffrey Altman Date: Sat, 26 Dec 2015 13:04:22 -0500 Subject: [PATCH] krb5: DNS SRV records test for invalid gTLD As per https://www.icann.org/en/system/files/files/name-collision-mitigation-01aug14-en.pdf prior to a new top-level domain being put into service there is a controlled interuption service which will return explicit responses to DNS A, MX, SRV, and TXT queries that can be used to detect private namespace collisions. Modify SRV records lookups to detect the special hostname returned in the SRV response, skip the response, and record an appropriate error if it is detected. Write a warning to the log (if any). Change-Id: I47e049b617e39e49939bc92d513a547de1d04624 --- lib/krb5/krbhst.c | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/lib/krb5/krbhst.c b/lib/krb5/krbhst.c index 44689ff72..a196c0a03 100644 --- a/lib/krb5/krbhst.c +++ b/lib/krb5/krbhst.c @@ -108,16 +108,32 @@ srv_find_realm(krb5_context context, krb5_krbhst_info ***res, int *count, for(num_srv = 0, rr = r->head; rr; rr = rr->next) if(rr->type == rk_ns_t_srv) { - krb5_krbhst_info *hi; - size_t len = strlen(rr->u.srv->target); + krb5_krbhst_info *hi = NULL; + size_t len; + int invalid_tld = 1; - hi = calloc(1, sizeof(*hi) + len); + /* Test for top-level domain controlled interruptions */ + if (strncmp("your-dns-needs-immediate-attention.", + rr->u.srv->target, 35) == 0 + && strchr(&rr->u.srv->target[35], '.') == NULL) { + invalid_tld = 0; + len = strlen(rr->u.srv->target); + hi = calloc(1, sizeof(*hi) + len); + } if(hi == NULL) { rk_dns_free_data(r); while(--num_srv >= 0) free((*res)[num_srv]); free(*res); *res = NULL; + if (invalid_tld) { + krb5_warnx(context, + "Domain lookup failed: " + "Realm %s needs immediate attention " + "see https://icann.org/namecollision", + realm); + return KRB5_KDC_UNREACH; + } return krb5_enomem(context); } (*res)[num_srv++] = hi;