Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-20 02:38:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

Handle SERVFAIL responses to DS queries better.

Browse Source 
On 15/5/2023 8.8.8.8 was returning SERVFAIL for a query on ec.europa.eu

ec.europa.eu is not a domain cut, that happens at jrc.ec.europa.eu. which
does return a signed proof of non-existance for a DS record.
Abandoning the search for a DS or proof of non existence at ec.europa.eu
renders everything within that domain BOGUS, since nothing is signed.

This code changes behaviour on a SERVFAIL to continue looking
deeper for a DS or proof of its nonexistence.
This commit is contained in:
Simon Kelley
2023-05-15 18:11:06 +01:00
parent 1d6fe0ea84
commit 31c91b40bd
2 changed files with 37 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/forward.c
View File

@@ -2046,7 +2046,7 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
daemon->log_display_id = ++daemon->log_id;
log_query_mysockaddr(F_NOEXTRA | F_DNSSEC | F_SERVER, keyname, &server->addr,
STAT_ISEQUAL(status, STAT_NEED_KEY) ? "dnssec-query[DNSKEY]" : "dnssec-query[DS]", 0);
STAT_ISEQUAL(new_status, STAT_NEED_KEY) ? "dnssec-query[DNSKEY]" : "dnssec-query[DS]", 0);
new_status = tcp_key_recurse(now, new_status, new_header, m, class, name, keyname, server, have_mark, mark, keycount);