Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 18:28:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix DNSSEC without dnssec-check-unsigned.

Browse Source 
An oversight meant that non-existance checking was being done
anyway.

(Should probably alter the default for this.)
This commit is contained in:
Simon Kelley
2018-04-11 22:49:31 +01:00
parent 4441cf762c
commit 4e72fec660
1 changed files with 31 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/dnssec.c
View File

@@ -872,7 +872,7 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
if (qtype != T_DS || qclass != class)
rc = STAT_BOGUS;
else
rc = dnssec_validate_reply(now, header, plen, name, keyname, NULL, 0, &neganswer, &nons);
rc = dnssec_validate_reply(now, header, plen, name, keyname, NULL, 1, &neganswer, &nons);
if (rc == STAT_INSECURE)
rc = STAT_BOGUS;
@@ -1966,6 +1966,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
}
/* OK, all the RRsets validate, now see if we have a missing answer or CNAME target. */
if (check_unsigned)
for (j = 0; j <targetidx; j++)
if ((p2 = targets[j]))
{