Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 10:18:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix logic error in signed RR handling.

Browse Source 
In extract_addresses() the "secure" argument is only set if the
whole reply is validated (ie the AD bit can be set). Even without
that, some records may be validated, and should be marked
as such in the cache.

Related, the DNS doctor code has to update the flags for individual
RRs as it works, not the global "secure" flag.
This commit is contained in:
Simon Kelley
2024-02-02 21:36:56 +00:00
parent 86c15032ba
commit d4a6f3a93e
3 changed files with 44 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/dnssec.c
View File

@@ -1804,7 +1804,7 @@ static int zone_status(char *name, int class, char *keyname, time_t now)
When validating replies to DS records, we're only interested in the NSEC{3} RRs in the auth section.
Other RRs in that section missing sigs will not cause am INSECURE reply. We determine this mode
is the nons argument is non-NULL.
if the nons argument is non-NULL.
*/
int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname,
int *class, int check_unsigned, int *neganswer, int *nons, int *nsec_ttl)