resolved: print a log message when we ignore an NSEC3 RR with an excessive amount...

author Lennart Poettering <lennart@poettering.net>

Sun, 3 Jan 2016 16:54:01 +0000 (17:54 +0100)

committer Lennart Poettering <lennart@poettering.net>

Sun, 3 Jan 2016 16:54:01 +0000 (17:54 +0100)
author Lennart Poettering <lennart@poettering.net>
Sun, 3 Jan 2016 16:54:01 +0000 (17:54 +0100)
committer Lennart Poettering <lennart@poettering.net>
Sun, 3 Jan 2016 16:54:01 +0000 (17:54 +0100)
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c

index 1182201b7d450f861021af60aaf7fb710187fe3b..6e6e62b1324154de8841d9ed87439ecabd2edfab 100644 (file)
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@@ -1073,7 +1073,7 @@ static int nsec3_hash_to_gcrypt_md(uint8_t algorithm) {
          }
  }
  
-int dnssec_nsec3_hash(const DnsResourceRecord *nsec3, const char *name, void *ret) {
+int dnssec_nsec3_hash(DnsResourceRecord *nsec3, const char *name, void *ret) {
          uint8_t wire_format[DNS_WIRE_FOMAT_HOSTNAME_MAX];
          gcry_md_hd_t md = NULL;
          size_t hash_size;
@@ -1089,8 +1089,10 @@ int dnssec_nsec3_hash(const DnsResourceRecord *nsec3, const char *name, void *re
          if (nsec3->key->type != DNS_TYPE_NSEC3)
                  return -EINVAL;
  
-        if (nsec3->nsec3.iterations > NSEC3_ITERATIONS_MAX)
+        if (nsec3->nsec3.iterations > NSEC3_ITERATIONS_MAX) {
+                log_debug("Ignoring NSEC3 RR %s with excessive number of iterations.", dns_resource_record_to_string(nsec3));
                  return -EOPNOTSUPP;
+        }
  
          algorithm = nsec3_hash_to_gcrypt_md(nsec3->nsec3.algorithm);
          if (algorithm < 0)
@@ -1200,7 +1202,7 @@ static int nsec3_is_good(DnsResourceRecord *rr, DnsAnswerFlags flags, DnsResourc
          return dns_name_equal(a, b);
  }
  
-static int nsec3_hashed_domain(const DnsResourceRecord *nsec3, const char *domain, const char *zone, char **ret) {
+static int nsec3_hashed_domain(DnsResourceRecord *nsec3, const char *domain, const char *zone, char **ret) {
          _cleanup_free_ char *l = NULL, *hashed_domain = NULL;
          uint8_t hashed[DNSSEC_HASH_SIZE_MAX];
          int hashed_size;
diff --git a/src/resolve/resolved-dns-dnssec.h b/src/resolve/resolved-dns-dnssec.h

index f1068750273570f261a21999c48c5ffbf7e80895..57858d0c1520160c1696478dd8e2ff0fe95ea7b3 100644 (file)
--- a/src/resolve/resolved-dns-dnssec.h
+++ b/src/resolve/resolved-dns-dnssec.h
@@ -87,7 +87,7 @@ uint16_t dnssec_keytag(DnsResourceRecord *dnskey);
  
  int dnssec_canonicalize(const char *n, char *buffer, size_t buffer_max);
  
-int dnssec_nsec3_hash(const DnsResourceRecord *nsec3, const char *name, void *ret);
+int dnssec_nsec3_hash(DnsResourceRecord *nsec3, const char *name, void *ret);
  
  typedef enum DnssecNsecResult {
          DNSSEC_NSEC_NO_RR,     /* No suitable NSEC/NSEC3 RR found */
author	Lennart Poettering <lennart@poettering.net>
	Sun, 3 Jan 2016 16:54:01 +0000 (17:54 +0100)
committer	Lennart Poettering <lennart@poettering.net>
	Sun, 3 Jan 2016 16:54:01 +0000 (17:54 +0100)
src/resolve/resolved-dns-dnssec.c		patch \| blob \| blame \| history
src/resolve/resolved-dns-dnssec.h		patch \| blob \| blame \| history