In some problematic scenarios, primary servers send truncated SOA responses. As a workaround, this setting
can be turned off, and the DO flag as well as the signature checking will be disabled. To avoid additional
-drift, primary servers then must always increase the zone serial on signature changes.
+drift, primary servers must then always increase the zone serial when it updates signatures.
It is strongly recommended to keep this setting enabled (`yes`).
}
sdomains.reserve(rdomains.size());
DNSSECKeeper dk(B); // NOW HEAR THIS! This DK uses our B backend, so no interleaved access!
+ bool checkSignatures = ::arg().mustDo("secondary-check-signature-freshness") && dk.doesDNSSEC();
{
auto data = d_data.lock();
domains_by_name_t& nameindex=boost::multi_index::get<IDTag>(data->d_suckdomains);
}
DomainNotificationInfo dni;
- dni.di=di;
- if (::arg().mustDo("secondary-check-signature-freshness")) {
- dni.dnssecOk = dk.doesDNSSEC();
- } else {
- dni.dnssecOk = false;
- }
+ dni.di = di;
+ dni.dnssecOk = checkSignatures;
if(dk.getTSIGForAccess(di.zone, sr.master, &dni.tsigkeyname)) {
string secret64;
}
else if(hasSOA && theirserial == ourserial) {
uint32_t maxExpire=0, maxInception=0;
- if(dk.isPresigned(di.zone) && ::arg().mustDo("secondary-check-signature-freshness")) {
+ if(checkSignatures && dk.isPresigned(di.zone)) {
B->lookup(QType(QType::RRSIG), di.zone, di.id); // can't use DK before we are done with this lookup!
DNSZoneRecord zr;
while(B->get(zr)) {
projects / thirdparty / pdns.git / commitdiff
