src/patches/dnsmasq/0061-Don-t-fail-DNSSEC-when-a-signed-CNAME-dangles-into-a.patch

   1 From 8805283088d670baecb92569252c01cf754cda51 Mon Sep 17 00:00:00 2001
   2 From: Simon Kelley <simon@thekelleys.org.uk>
   3 Date: Thu, 26 Mar 2015 21:15:43 +0000
   4 Subject: [PATCH 61/71] Don't fail DNSSEC when a signed CNAME dangles into an
   5  unsigned zone.
   6
   7 ---
   8  src/dnssec.c | 3 ++-
   9  1 file changed, 2 insertions(+), 1 deletion(-)
  10
  11 diff --git a/src/dnssec.c b/src/dnssec.c
  12 index ad0d6f072ba2..db5c768bd751 100644
  13 --- a/src/dnssec.c
  14 +++ b/src/dnssec.c
  15 @@ -2032,7 +2032,8 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
  16    /* NXDOMAIN or NODATA reply, prove that (name, class1, type1) can't exist */
  17    /* First marshall the NSEC records, if we've not done it previously */
  18    if (!nsec_type && !(nsec_type = find_nsec_records(header, plen, &nsecs, &nsec_count, qclass)))
  19 -    return STAT_BOGUS; /* No NSECs */
  20 +    return STAT_NO_SIG; /* No NSECs, this is probably a dangling CNAME pointing into
  21 +                          an unsigned zone. Return STAT_NO_SIG to cause this to be proved. */
  22
  23    /* Get name of missing answer */
  24    if (!extract_name(header, plen, &qname, name, 1, 0))
  25 --
  26 2.1.0
  27