Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 18:28:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix DNSSEC without dnssec-check-unsigned.

Browse Source 
An oversight meant that non-existance checking was being done
anyway.

(Should probably alter the default for this.)
This commit is contained in:
Simon Kelley
2018-04-11 22:49:31 +01:00
parent 4441cf762c
commit 4e72fec660
1 changed files with 31 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
src/dnssec.c
View File

@@ -872,7 +872,7 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
if (qtype != T_DS || qclass != class) if (qtype != T_DS || qclass != class)
rc = STAT_BOGUS; rc = STAT_BOGUS;
else else
rc = dnssec_validate_reply(now, header, plen, name, keyname, NULL, 0, &neganswer, &nons); rc = dnssec_validate_reply(now, header, plen, name, keyname, NULL, 1, &neganswer, &nons);
if (rc == STAT_INSECURE) if (rc == STAT_INSECURE)
rc = STAT_BOGUS; rc = STAT_BOGUS;
@@ -1966,35 +1966,36 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
} }
/* OK, all the RRsets validate, now see if we have a missing answer or CNAME target. */ /* OK, all the RRsets validate, now see if we have a missing answer or CNAME target. */
for (j = 0; j <targetidx; j++) if (check_unsigned)
if ((p2 = targets[j])) for (j = 0; j <targetidx; j++)
{ if ((p2 = targets[j]))
if (neganswer) {
*neganswer = 1; if (neganswer)
*neganswer = 1;
if (!extract_name(header, plen, &p2, name, 1, 10)) if (!extract_name(header, plen, &p2, name, 1, 10))
return STAT_BOGUS; /* bad packet */ return STAT_BOGUS; /* bad packet */
/* NXDOMAIN or NODATA reply, unanswered question is (name, qclass, qtype) */ /* NXDOMAIN or NODATA reply, unanswered question is (name, qclass, qtype) */
/* For anything other than a DS record, this situation is OK if either /* For anything other than a DS record, this situation is OK if either
the answer is in an unsigned zone, or there's a NSEC records. */ the answer is in an unsigned zone, or there's a NSEC records. */
if (!prove_non_existence(header, plen, keyname, name, qtype, qclass, NULL, nons)) if (!prove_non_existence(header, plen, keyname, name, qtype, qclass, NULL, nons))
{ {
/* Empty DS without NSECS */ /* Empty DS without NSECS */
if (qtype == T_DS) if (qtype == T_DS)
return STAT_BOGUS; return STAT_BOGUS;
if ((rc = zone_status(name, qclass, keyname, now)) != STAT_SECURE) if ((rc = zone_status(name, qclass, keyname, now)) != STAT_SECURE)
{ {
if (class) if (class)
*class = qclass; /* Class for NEED_DS or NEED_KEY */ *class = qclass; /* Class for NEED_DS or NEED_KEY */
return rc; return rc;
} }
return STAT_BOGUS; /* signed zone, no NSECs */ return STAT_BOGUS; /* signed zone, no NSECs */
} }
} }
return secure; return secure;
} }