Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 18:28:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix DNSSEC failure to validate unsigned NoDATA replies.

Browse Source 
A reply with an empty answer section would not always be checked
for either suitable NSEC records or proof of non-existence of
the relevant DS record.
This commit is contained in:
Simon Kelley
2022-01-13 00:12:07 +00:00
parent 8285d335f4
commit ebd8350300
1 changed files with 32 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/dnssec.c
View File

@@ -1989,7 +1989,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
{ {
/* NSEC and NSEC3 records must be signed. We make this assumption elsewhere. */ /* NSEC and NSEC3 records must be signed. We make this assumption elsewhere. */
if (type1 == T_NSEC || type1 == T_NSEC3) if (type1 == T_NSEC || type1 == T_NSEC3)
rc = STAT_INSECURE; return STAT_BOGUS | DNSSEC_FAIL_NOSIG;
else if (nons && i >= ntohs(header->ancount)) else if (nons && i >= ntohs(header->ancount))
/* If we're validating a DS reply, rather than looking for the value of AD bit, /* If we're validating a DS reply, rather than looking for the value of AD bit,
we only care that NSEC and NSEC3 RRs in the auth section are signed. we only care that NSEC and NSEC3 RRs in the auth section are signed.
@@ -2003,6 +2003,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
rc = zone_status(name, class1, keyname, now); rc = zone_status(name, class1, keyname, now);
if (STAT_ISEQUAL(rc, STAT_SECURE)) if (STAT_ISEQUAL(rc, STAT_SECURE))
rc = STAT_BOGUS | DNSSEC_FAIL_NOSIG; rc = STAT_BOGUS | DNSSEC_FAIL_NOSIG;
if (class) if (class)
*class = class1; /* Class for NEED_DS or NEED_KEY */ *class = class1; /* Class for NEED_DS or NEED_KEY */
} }
@@ -2081,7 +2082,6 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
} }
/* OK, all the RRsets validate, now see if we have a missing answer or CNAME target. */ /* OK, all the RRsets validate, now see if we have a missing answer or CNAME target. */
if (STAT_ISEQUAL(secure, STAT_SECURE))
for (j = 0; j <targetidx; j++) for (j = 0; j <targetidx; j++)
if ((p2 = targets[j])) if ((p2 = targets[j]))
{ {