Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 18:28:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Inhibit DNSSEC validation when forwarding to private servers for a domain.

Browse Source 
server=/example.com/<ip-of-server>

The rationale is that the chain-of-trust will not be complete to
private servers. If it was, it would not be necessary to access the
server direct.
This commit is contained in:
Simon Kelley
2016-01-11 22:50:00 +00:00
parent b633de9413
commit 5757371d43
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/forward.c
View File

@@ -406,7 +406,7 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
}
#ifdef HAVE_DNSSEC
if (option_bool(OPT_DNSSEC_VALID))
if (option_bool(OPT_DNSSEC_VALID) && !(type & SERV_HAS_DOMAIN))
{
size_t new = add_do_bit(header, plen, ((unsigned char *) header) + PACKETSZ);
@@ -858,7 +858,8 @@ void reply_query(int fd, int family, time_t now)
no_cache_dnssec = 1;
#ifdef HAVE_DNSSEC
if (server && option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED))
if (server && !(server->flags & SERV_HAS_DOMAIN) &&
option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED))
{
int status = 0;