Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 18:28:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Handle SERVFAIL replies when looking for proven-nonexistence of DS.

Browse Source
This commit is contained in:
Simon Kelley
2014-04-26 22:13:31 +01:00
parent 50f86ce8e4
commit 4872aa747b
1 changed files with 14 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
src/forward.c
View File

@@ -1347,13 +1347,20 @@ static int do_check_sign(time_t now, struct dns_header *header, size_t plen, cha
{ {
char *name_start; char *name_start;
unsigned char *p; unsigned char *p;
int status = dnssec_validate_ds(now, header, plen, name, keyname, class); int status;
if (status != STAT_INSECURE) /* In this case only, a SERVFAIL reply allows us to continue up the tree, looking for a
{ suitable NSEC reply to DS queries. */
if (status == STAT_NO_DS) if (RCODE(header) != SERVFAIL)
status = STAT_INSECURE; {
return status; status = dnssec_validate_ds(now, header, plen, name, keyname, class);
if (status != STAT_INSECURE)
{
if (status == STAT_NO_DS)
status = STAT_INSECURE;
return status;
}
} }
p = (unsigned char *)(header+1); p = (unsigned char *)(header+1);