]> git.ipfire.org Git - thirdparty/pdns.git/commit - pdns/recursordist/test-syncres_cc.cc
projects / thirdparty / pdns.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 12abac2) | patch
rec: Fix DNSSEC validation of DS denial from the negative cache 5978/head
authorRemi Gacogne <remi.gacogne@powerdns.com>
Mon, 20 Nov 2017 17:12:48 +0000 (18:12 +0100)
committerRemi Gacogne <remi.gacogne@powerdns.com>
Mon, 20 Nov 2017 17:12:48 +0000 (18:12 +0100)
commitf5a747bbc131c0ad80ce31145af8b199c2488c75
tree49cfb2bfe5a993b83f9e308f16e9c26adf2d2ab9tree | snapshot
parent12abac2e69988812f87fbf77223baf13a034b1efcommit | diff
rec: Fix DNSSEC validation of DS denial from the negative cache

There is two reasons you can get a proper DS denial:
* Secure to insecure cut, and if we are getting a referral with a
DS denial, we know that we have to check that the NS bit is set
as described in section 8.9 of rfc5155
* No zone cut inside a secure zone, and then of course the NS is
not set

When we retrieve the DS denial from the negative cache with a
validation status of Indeterminate, most likely because validation
was not enabled during the query that landed it in the cache, we
don't have enough data to know which case we are looking at, so
let's just skip the NS check.
pdns/recursordist/test-syncres_cc.cc diff | blob | blame | history
pdns/syncres.cc diff | blob | blame | history
pdns/validate.cc diff | blob | blame | history
Unnamed repository; edit this file 'description' to name the repository.