projects / ipfire-2.x.git / blame
| Commit | Line | Data |
|---|---|---|
| c6ce1e7e MT |
1 | From 8805283088d670baecb92569252c01cf754cda51 Mon Sep 17 00:00:00 2001 |
| 2 | From: Simon Kelley <simon@thekelleys.org.uk> | |
| 3 | Date: Thu, 26 Mar 2015 21:15:43 +0000 | |
| 5f206778 | 4 | Subject: [PATCH 61/87] Don't fail DNSSEC when a signed CNAME dangles into an |
| c6ce1e7e MT |
5 | unsigned zone. |
| 6 | ||
| 7 | --- | |
| 8 | src/dnssec.c | 3 ++- | |
| 9 | 1 file changed, 2 insertions(+), 1 deletion(-) | |
| 10 | ||
| 11 | diff --git a/src/dnssec.c b/src/dnssec.c | |
| 12 | index ad0d6f072ba2..db5c768bd751 100644 | |
| 13 | --- a/src/dnssec.c | |
| 14 | +++ b/src/dnssec.c | |
| 15 | @@ -2032,7 +2032,8 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch | |
| 16 | /* NXDOMAIN or NODATA reply, prove that (name, class1, type1) can't exist */ | |
| 17 | /* First marshall the NSEC records, if we've not done it previously */ | |
| 18 | if (!nsec_type && !(nsec_type = find_nsec_records(header, plen, &nsecs, &nsec_count, qclass))) | |
| 19 | - return STAT_BOGUS; /* No NSECs */ | |
| 20 | + return STAT_NO_SIG; /* No NSECs, this is probably a dangling CNAME pointing into | |
| 21 | + an unsigned zone. Return STAT_NO_SIG to cause this to be proved. */ | |
| 22 | ||
| 23 | /* Get name of missing answer */ | |
| 24 | if (!extract_name(header, plen, &qname, name, 1, 0)) | |
| 25 | -- | |
| 26 | 2.1.0 | |
| 27 |