]> git.ipfire.org Git - thirdparty/unbound.git/commitdiff
projects / thirdparty / unbound.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6c2fa12)
- Fix #2882: Unbound behaviour changes (wrong) when domain-insecure is
authorWouter Wijngaards <wouter@nlnetlabs.nl>
Tue, 14 Nov 2017 10:01:44 +0000 (10:01 +0000)
committerWouter Wijngaards <wouter@nlnetlabs.nl>
Tue, 14 Nov 2017 10:01:44 +0000 (10:01 +0000)
  set for stub zone.  It no longer searches for DNSSEC information.

git-svn-id: file:///svn/unbound/trunk@4404 be551aaa-1e26-0410-a405-d3ace91eadb9

doc/Changelog patch | blob | blame | history
iterator/iter_utils.c patch | blob | blame | history
iterator/iter_utils.h patch | blob | blame | history

diff --git a/doc/Changelog b/doc/Changelog
index f494e181ea6fa880804260988b9bda19874254cf..4510765d4eb44bce5eead9a3bb904edb626921e5 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+14 November 2017: Wouter 
+       - Fix #2882: Unbound behaviour changes (wrong) when domain-insecure is
+         set for stub zone.  It no longer searches for DNSSEC information.
+
 13 November 2017: Wouter 
        - Fix #2801: Install libunbound.pc.
        - Fix qname minimisation to send AAAA queries at zonecut like type A.
diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
index 0b1b456113f7ac38dcb1fee6d10e939126bcd367..70cab40faa80149ef0532d826d7cda8a8ae89569 100644 (file)
--- a/iterator/iter_utils.c
+++ b/iterator/iter_utils.c
@@ -656,6 +656,11 @@ iter_indicates_dnssec(struct module_env* env, struct delegpt* dp,
        /* a trust anchor exists with this name, RRSIGs expected */
        if((a=anchor_find(env->anchors, dp->name, dp->namelabs, dp->namelen,
                dclass))) {
+               if(a->numDS == 0 && a->numDNSKEY == 0) {
+                       /* insecure trust point */
+                       lock_basic_unlock(&a->lock);
+                       return 0;
+               }
                lock_basic_unlock(&a->lock);
                return 1;
        }
diff --git a/iterator/iter_utils.h b/iterator/iter_utils.h
index d0629a83e0df8ed2b71908c58a10da390e22bf23..602fa6db3d0d5df919737ba36810ca61e20cd385 100644 (file)
--- a/iterator/iter_utils.h
+++ b/iterator/iter_utils.h
@@ -193,7 +193,7 @@ int iter_indicates_dnssec_fwd(struct module_env* env,
  * @param dp: delegation point.
  * @param msg: delegation message, with DS if a secure referral.
  * @param dclass: class of query.
- * @return 1 if dnssec is expected, 0 if not.
+ * @return 1 if dnssec is expected, 0 if not or insecure point above qname.
  */
 int iter_indicates_dnssec(struct module_env* env, struct delegpt* dp,
        struct dns_msg* msg, uint16_t dclass);
Mirror of https://github.com/NLnetLabs/unbound.git