Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 18:28:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Handle truncated replies in DNSSEC validation.

Browse Source
This commit is contained in:
Simon Kelley
2014-01-08 11:22:32 +00:00
parent 65d1e3bb9b
commit 871417d45d
1 changed files with 13 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/forward.c
View File

@@ -686,7 +686,19 @@ void reply_query(int fd, int family, time_t now)
if (forward->stash)
return;
if (forward->flags & FREC_DNSKEY_QUERY)
if (header->hb3 & HB3_TC)
{
/* Truncated answer can't be validated.
The client will retry over TCP, but if this is an answer to a
DNSSEC-generated query, we have a problem. Should really re-send
over TCP. No-one with any sense will make a DNSKEY or DS RRset
exceed 4096, so this may not be a real problem. Just log
for now. */
if (forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY))
my_syslog(LOG_ERR, _("Reply to DNSSEC query truncated - validation fails."));
status = STAT_INSECURE;
}
else if (forward->flags & FREC_DNSKEY_QUERY)
status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
else if (forward->flags & FREC_DS_QUERY)
status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);