Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 18:28:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Handle SERVFAIL replies when looking for proven-nonexistence of DS.

Browse Source
This commit is contained in:
Simon Kelley
2014-04-26 22:13:31 +01:00
parent 50f86ce8e4
commit 4872aa747b
1 changed files with 14 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/forward.c
View File

@@ -1347,7 +1347,13 @@ static int do_check_sign(time_t now, struct dns_header *header, size_t plen, cha
{ {
char *name_start; char *name_start;
unsigned char *p; unsigned char *p;
int status = dnssec_validate_ds(now, header, plen, name, keyname, class); int status;
/* In this case only, a SERVFAIL reply allows us to continue up the tree, looking for a
suitable NSEC reply to DS queries. */
if (RCODE(header) != SERVFAIL)
{
status = dnssec_validate_ds(now, header, plen, name, keyname, class);
if (status != STAT_INSECURE) if (status != STAT_INSECURE)
{ {
@@ -1355,6 +1361,7 @@ static int do_check_sign(time_t now, struct dns_header *header, size_t plen, cha
status = STAT_INSECURE; status = STAT_INSECURE;
return status; return status;
} }
}
p = (unsigned char *)(header+1); p = (unsigned char *)(header+1);