Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 18:28:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Return INSECURE when validation fails with proved non-existent DS.

Browse Source
This commit is contained in:
Simon Kelley
2014-02-25 23:13:28 +00:00
parent 613ad15d02
commit b47b04c846
1 changed files with 9 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/dnssec.c
View File

@@ -1072,10 +1072,10 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
GETSHORT(qtype, p); GETSHORT(qtype, p);
GETSHORT(qclass, p); GETSHORT(qclass, p);
if (qtype != T_DS || qclass != class || ntohs(header->ancount) == 0) if (qtype != T_DS || qclass != class)
return STAT_BOGUS; val = STAT_BOGUS;
else
val = dnssec_validate_reply(now, header, plen, name, keyname, NULL); val = dnssec_validate_reply(now, header, plen, name, keyname, NULL);
if (val == STAT_BOGUS) if (val == STAT_BOGUS)
{ {
@@ -1083,7 +1083,11 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
extract_name(header, plen, &p, name, 1, 4); extract_name(header, plen, &p, name, 1, 4);
log_query(F_UPSTREAM, name, NULL, "BOGUS DS"); log_query(F_UPSTREAM, name, NULL, "BOGUS DS");
} }
/* proved that no DS exists, can't validate */
if (val == STAT_SECURE && ntohs(header->ancount) == 0)
return STAT_INSECURE;
return val; return val;
} }