Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 10:18:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Treat cache insertion failure of DNSKEY and DS records as

Browse Source 
another resource problem and fail validation with suitable logging.
This commit is contained in:
Simon Kelley
2024-03-27 16:00:06 +00:00
parent b8ff4bb762
commit 550c368ade
1 changed files with 7 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/dnssec.c
View File

@@ -943,8 +943,10 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
if (!cache_insert(name, &a, class, now, ttl, F_FORWARD | F_DNSKEY | F_DNSSECOK)) if (!cache_insert(name, &a, class, now, ttl, F_FORWARD | F_DNSKEY | F_DNSSECOK))
{ {
/* cache_insert fails when the cache is too small, so error with STAT_ABANDONED which
will log this as a resource exhaustion problem, which it is. */
blockdata_free(key); blockdata_free(key);
return STAT_BOGUS; return STAT_ABANDONED;
} }
a.log.keytag = keytag; a.log.keytag = keytag;
@@ -1091,8 +1093,10 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
if (!cache_insert(name, &a, class, now, ttl, F_FORWARD | F_DS | F_DNSSECOK)) if (!cache_insert(name, &a, class, now, ttl, F_FORWARD | F_DS | F_DNSSECOK))
{ {
/* cache_insert fails when the cache is too small, so error with STAT_ABANDONED which
will log this as a resource exhaustion problem, which it is. */
blockdata_free(key); blockdata_free(key);
return STAT_BOGUS; return STAT_ABANDONED;
} }
else else
{ {
@@ -1132,7 +1136,7 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
/* Use TTL from NSEC for negative cache entries */ /* Use TTL from NSEC for negative cache entries */
if (!cache_insert(name, NULL, class, now, neg_ttl, flags)) if (!cache_insert(name, NULL, class, now, neg_ttl, flags))
return STAT_BOGUS; return STAT_ABANDONED;
cache_end_insert(); cache_end_insert();