DNSSEC: Unsigned RRs in auth section proving that a DS doesn't exist are OK.

In a reply proving that a DS doesn't exist, it doesn't matter if RRs in the auth section _other_ than NSEC/NSEC3 are not signed. We can't set the AD flag when returning the query, but it still proves that the DS doesn't exist for internal use. As one of the RRs which may not be signed is the SOA record, use the TTL of the NSEC record to cache the negative result, not one derived from the SOA. Thanks to Tore Anderson for spotting and diagnosing the bug.
2025-12-19 18:28:25 +00:00 · 2019-08-29 21:59:00 +01:00
parent 5a91334985
commit fef2f1c75e
4 changed files with 51 additions and 73 deletions
--- a/src/forward.c
+++ b/src/forward.c
@@ -1004,7 +1004,7 @@ void reply_query(int fd, int family, time_t now)
 		  else
 		    status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, 
 						   !option_bool(OPT_DNSSEC_IGN_NS) && (server->flags & SERV_DO_DNSSEC),
-						   NULL, NULL);
+						   NULL, NULL, NULL);
 #ifdef HAVE_DUMPFILE
 		  if (status == STAT_BOGUS)
 		    dump_packet((forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY)) ? DUMP_SEC_BOGUS : DUMP_BOGUS,
@@ -1601,7 +1601,7 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
      else 
 	new_status = dnssec_validate_reply(now, header, n, name, keyname, &class,
 					   !option_bool(OPT_DNSSEC_IGN_NS) && (server->flags & SERV_DO_DNSSEC),
-					   NULL, NULL);
+					   NULL, NULL, NULL);
      
      if (new_status != STAT_NEED_DS && new_status != STAT_NEED_KEY)
 	break;