RRSIG headers fix

semihalev · Oct 14, 2018 · 45fe609 · 45fe609
1 parent 30c0c4d
commit 45fe609
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -48,7 +48,7 @@ $ go build
 * Query based ratelimit
 * Black-hole internet advertisements and malware servers
 * HTTP API support 
-* Outbount IP selection
+* Outbound IP selection
 
 ## TODO
 

diff --git a/resolver.go b/resolver.go
@@ -117,6 +117,9 @@ func (r *Resolver) Resolve(Net string, req *dns.Msg, servers []string, root bool
 		var signerFound bool
 
 		for _, rr := range resp.Answer {
+			if rr.Header().Name != req.Question[0].Name {
+				continue
+			}
 			if sigrec, ok := rr.(*dns.RRSIG); ok {
 				signer = sigrec.SignerName
 				signerFound = true
@@ -277,6 +280,9 @@ func (r *Resolver) Resolve(Net string, req *dns.Msg, servers []string, root bool
 				var signerFound bool
 
 				for _, rr := range resp.Ns {
+					if rr.Header().Name != nsrec.Header().Name {
+						continue
+					}
 					if sigrec, ok := rr.(*dns.RRSIG); ok {
 						signer = sigrec.SignerName
 						signerFound = true

diff --git a/utils.go b/utils.go
@@ -227,8 +227,14 @@ func verifyRRSIG(keys map[uint16]*dns.DNSKEY, msg *dns.Msg) error {
 		return errNoSignatures
 	}
 
+main:
 	for _, sigRR := range sigs {
 		sig := sigRR.(*dns.RRSIG)
+		for _, k := range keys {
+			if !strings.HasPrefix(sig.Header().Name, k.Header().Name) {
+				continue main
+			}
+		}
 		rest := extractRRSet(rr, sig.Header().Name, sig.TypeCovered)
 		if len(rest) == 0 {
 			return errMissingSigned