Fix DNSSEC without dnssec-check-unsigned.

An oversight meant that non-existance checking was being done anyway. (Should probably alter the default for this.)
2025-12-19 18:28:25 +00:00 · 2018-04-11 22:49:31 +01:00
parent 4441cf762c
commit 4e72fec660
1 changed files with 31 additions and 30 deletions
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -872,7 +872,7 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
  if (qtype != T_DS || qclass != class)
    rc = STAT_BOGUS;
  else
-    rc = dnssec_validate_reply(now, header, plen, name, keyname, NULL, 0, &neganswer, &nons);
+    rc = dnssec_validate_reply(now, header, plen, name, keyname, NULL, 1, &neganswer, &nons);
  
  if (rc == STAT_INSECURE)
    rc = STAT_BOGUS;
@@ -1966,35 +1966,36 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
    }

  /* OK, all the RRsets validate, now see if we have a missing answer or CNAME target. */
-  for (j = 0; j <targetidx; j++)
-    if ((p2 = targets[j]))
-      {
-	if (neganswer)
-	  *neganswer = 1;
+  if (check_unsigned)
+    for (j = 0; j <targetidx; j++)
+      if ((p2 = targets[j]))
+	{
+	  if (neganswer)
+	    *neganswer = 1;
 	  
-	if (!extract_name(header, plen, &p2, name, 1, 10))
-	  return STAT_BOGUS; /* bad packet */
+	  if (!extract_name(header, plen, &p2, name, 1, 10))
+	    return STAT_BOGUS; /* bad packet */
 	  
-	/* NXDOMAIN or NODATA reply, unanswered question is (name, qclass, qtype) */
+	  /* NXDOMAIN or NODATA reply, unanswered question is (name, qclass, qtype) */
 	  
-	/* For anything other than a DS record, this situation is OK if either
-	   the answer is in an unsigned zone, or there's a NSEC records. */
-	if (!prove_non_existence(header, plen, keyname, name, qtype, qclass, NULL, nons))
-	  {
-	    /* Empty DS without NSECS */
-	    if (qtype == T_DS)
-	      return STAT_BOGUS;
+	  /* For anything other than a DS record, this situation is OK if either
+	     the answer is in an unsigned zone, or there's a NSEC records. */
+	  if (!prove_non_existence(header, plen, keyname, name, qtype, qclass, NULL, nons))
+	    {
+	      /* Empty DS without NSECS */
+	      if (qtype == T_DS)
+		return STAT_BOGUS;
 	      
-	    if ((rc = zone_status(name, qclass, keyname, now)) != STAT_SECURE)
-	      {
-		if (class)
-		  *class = qclass; /* Class for NEED_DS or NEED_KEY */
-		return rc;
-	      } 
+	      if ((rc = zone_status(name, qclass, keyname, now)) != STAT_SECURE)
+		{
+		  if (class)
+		    *class = qclass; /* Class for NEED_DS or NEED_KEY */
+		  return rc;
+		} 
 	      
-	    return STAT_BOGUS; /* signed zone, no NSECs */
-	  }
-      }
+	      return STAT_BOGUS; /* signed zone, no NSECs */
+	    }
+	}
  
  return secure;
 }