Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 18:28:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Return INSECURE, rather than BOGUS when DS proved not to exist.

Browse Source 
Return INSECURE when validating DNS replies which have RRSIGs, but
when a needed DS record in the trust chain is proved not to exist.
It's allowed for a zone to set up DNSKEY and RRSIG records first, then
add a DS later, completing the chain of trust.

Also, since we don't have the infrastructure to track that these
non-validated replies have RRSIGS, don't cache them, so we don't
provide answers with missing RRSIGS from the cache.
This commit is contained in:
Simon Kelley
2015-04-03 21:25:05 +01:00
parent 7aa970e2c7
commit fe3992f9fa
3 changed files with 69 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
src/dnsmasq.h
View File

@@ -583,6 +583,7 @@ struct hostsfile {
#define STAT_NO_NS 10
#define STAT_NEED_DS_NEG 11
#define STAT_CHASE_CNAME 12
#define STAT_INSECURE_DS 13
#define FREC_NOREBIND 1
#define FREC_CHECKING_DISABLED 2