]>
Commit | Line | Data |
---|---|---|
c6ce1e7e MT |
1 | From 8805283088d670baecb92569252c01cf754cda51 Mon Sep 17 00:00:00 2001 |
2 | From: Simon Kelley <simon@thekelleys.org.uk> | |
3 | Date: Thu, 26 Mar 2015 21:15:43 +0000 | |
697b4f04 | 4 | Subject: [PATCH 061/113] Don't fail DNSSEC when a signed CNAME dangles into an |
c6ce1e7e MT |
5 | unsigned zone. |
6 | ||
7 | --- | |
8 | src/dnssec.c | 3 ++- | |
9 | 1 file changed, 2 insertions(+), 1 deletion(-) | |
10 | ||
11 | diff --git a/src/dnssec.c b/src/dnssec.c | |
12 | index ad0d6f072ba2..db5c768bd751 100644 | |
13 | --- a/src/dnssec.c | |
14 | +++ b/src/dnssec.c | |
15 | @@ -2032,7 +2032,8 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch | |
16 | /* NXDOMAIN or NODATA reply, prove that (name, class1, type1) can't exist */ | |
17 | /* First marshall the NSEC records, if we've not done it previously */ | |
18 | if (!nsec_type && !(nsec_type = find_nsec_records(header, plen, &nsecs, &nsec_count, qclass))) | |
19 | - return STAT_BOGUS; /* No NSECs */ | |
20 | + return STAT_NO_SIG; /* No NSECs, this is probably a dangling CNAME pointing into | |
21 | + an unsigned zone. Return STAT_NO_SIG to cause this to be proved. */ | |
22 | ||
23 | /* Get name of missing answer */ | |
24 | if (!extract_name(header, plen, &qname, name, 1, 0)) | |
25 | -- | |
26 | 2.1.0 | |
27 |