Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 18:28:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix DNSSEC without dnssec-check-unsigned.

Browse Source 
An oversight meant that non-existance checking was being done
anyway.

(Should probably alter the default for this.)
This commit is contained in:
Simon Kelley
2018-04-11 22:49:31 +01:00
parent 4441cf762c
commit 4e72fec660
1 changed files with 31 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

61
src/dnssec.c
View File

@@ -872,7 +872,7 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
if (qtype != T_DS || qclass != class) if (qtype != T_DS || qclass != class)
rc = STAT_BOGUS; rc = STAT_BOGUS;
else else
rc = dnssec_validate_reply(now, header, plen, name, keyname, NULL, 0, &neganswer, &nons); rc = dnssec_validate_reply(now, header, plen, name, keyname, NULL, 1, &neganswer, &nons);
if (rc == STAT_INSECURE) if (rc == STAT_INSECURE)
rc = STAT_BOGUS; rc = STAT_BOGUS;
@@ -1966,35 +1966,36 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
} }
/* OK, all the RRsets validate, now see if we have a missing answer or CNAME target. */ /* OK, all the RRsets validate, now see if we have a missing answer or CNAME target. */
for (j = 0; j <targetidx; j++) if (check_unsigned)
if ((p2 = targets[j])) for (j = 0; j <targetidx; j++)
{ if ((p2 = targets[j]))
if (neganswer) {
*neganswer = 1; if (neganswer)
*neganswer = 1;
if (!extract_name(header, plen, &p2, name, 1, 10))
return STAT_BOGUS; /* bad packet */ if (!extract_name(header, plen, &p2, name, 1, 10))
return STAT_BOGUS; /* bad packet */
/* NXDOMAIN or NODATA reply, unanswered question is (name, qclass, qtype) */
/* NXDOMAIN or NODATA reply, unanswered question is (name, qclass, qtype) */
/* For anything other than a DS record, this situation is OK if either
the answer is in an unsigned zone, or there's a NSEC records. */ /* For anything other than a DS record, this situation is OK if either
if (!prove_non_existence(header, plen, keyname, name, qtype, qclass, NULL, nons)) the answer is in an unsigned zone, or there's a NSEC records. */
{ if (!prove_non_existence(header, plen, keyname, name, qtype, qclass, NULL, nons))
/* Empty DS without NSECS */ {
if (qtype == T_DS) /* Empty DS without NSECS */
return STAT_BOGUS; if (qtype == T_DS)
return STAT_BOGUS;
if ((rc = zone_status(name, qclass, keyname, now)) != STAT_SECURE)
{ if ((rc = zone_status(name, qclass, keyname, now)) != STAT_SECURE)
if (class) {
*class = qclass; /* Class for NEED_DS or NEED_KEY */ if (class)
return rc; *class = qclass; /* Class for NEED_DS or NEED_KEY */
} return rc;
}
return STAT_BOGUS; /* signed zone, no NSECs */
} return STAT_BOGUS; /* signed zone, no NSECs */
} }
}
return secure; return secure;
} }