DNSSEC: Unsigned RRs in auth section proving that a DS doesn't exist are OK.

In a reply proving that a DS doesn't exist, it doesn't matter if RRs in the auth section _other_ than NSEC/NSEC3 are not signed. We can't set the AD flag when returning the query, but it still proves that the DS doesn't exist for internal use. As one of the RRs which may not be signed is the SOA record, use the TTL of the NSEC record to cache the negative result, not one derived from the SOA. Thanks to Tore Anderson for spotting and diagnosing the bug.
2025-12-19 10:18:25 +00:00 · 2019-08-29 21:59:00 +01:00
parent 5a91334985
commit fef2f1c75e
4 changed files with 51 additions and 73 deletions
--- a/6
+++ b/6
@@ -45,6 +45,12 @@ version 2.81

 	Fix compilation against nettle version 3.5 and later.

+	Fix spurious DNSSEC validation failures when the auth section
+	of a reply proving that a DS record does not exist contains
+	unsigned RRs. Only the NSEC/NSEC3 records needed to prove
+	the non-existence of the DS record must be signed. Thanks
+	to Tore Anderson for spotting and diagnosing the bug.
+
 	
 version 2.80
 	Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method