Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 18:28:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

An NSEC record cannot attest to its own non-existance!

Browse Source
This commit is contained in:
Simon Kelley
2014-02-24 20:20:00 +00:00
parent d387380a25
commit f01d7be6c6
1 changed files with 8 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/dnssec.c
View File

@@ -860,7 +860,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
GETSHORT(qclass, p); GETSHORT(qclass, p);
if (qtype != T_DNSKEY || qclass != class || ntohs(header->ancount) == 0) if (qtype != T_DNSKEY || qclass != class || ntohs(header->ancount) == 0)
return STAT_INSECURE; return STAT_BOGUS;
/* See if we have cached a DS record which validates this key */ /* See if we have cached a DS record which validates this key */
if (!(crecp = cache_find_by_name(NULL, name, now, F_DS))) if (!(crecp = cache_find_by_name(NULL, name, now, F_DS)))
@@ -894,7 +894,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
GETSHORT(flags, p); GETSHORT(flags, p);
if (*p++ != 3) if (*p++ != 3)
return STAT_INSECURE; return STAT_BOGUS;
algo = *p++; algo = *p++;
keytag = dnskey_keytag(algo, flags, p, rdlen - 4); keytag = dnskey_keytag(algo, flags, p, rdlen - 4);
key = NULL; key = NULL;
@@ -984,7 +984,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
GETSHORT(flags, p); GETSHORT(flags, p);
if (*p++ != 3) if (*p++ != 3)
return STAT_INSECURE; return STAT_BOGUS;
algo = *p++; algo = *p++;
keytag = dnskey_keytag(algo, flags, p, rdlen - 4); keytag = dnskey_keytag(algo, flags, p, rdlen - 4);
@@ -1080,7 +1080,7 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
GETSHORT(qclass, p); GETSHORT(qclass, p);
if (qtype != T_DS || qclass != class || ntohs(header->ancount) == 0) if (qtype != T_DS || qclass != class || ntohs(header->ancount) == 0)
return STAT_INSECURE; return STAT_BOGUS;
val = dnssec_validate_reply(now, header, plen, name, keyname, NULL); val = dnssec_validate_reply(now, header, plen, name, keyname, NULL);
@@ -1255,6 +1255,10 @@ static int prove_non_existance_nsec(struct dns_header *header, size_t plen, unsi
if (rc == 0) if (rc == 0)
{ {
/* 4035 para 5.4. Last sentence */
if (type == T_NSEC || type == T_RRSIG)
return STAT_SECURE;
/* NSEC with the same name as the RR we're testing, check /* NSEC with the same name as the RR we're testing, check
that the type in question doesn't appear in the type map */ that the type in question doesn't appear in the type map */
rdlen -= p - psave; rdlen -= p - psave;