src/patches/dnsmasq/007-handle_signed_dangling_CNAME_replies_to_DS_queries.patch

   1 From 6de81f1250fd323c9155de065d5a9dc200a6f20b Mon Sep 17 00:00:00 2001
   2 From: Simon Kelley <simon@thekelleys.org.uk>
   3 Date: Wed, 9 Sep 2015 22:51:13 +0100
   4 Subject: [PATCH] Handle signed dangling CNAME replies to DS queries.
   5
   6 ---
   7  src/dnssec.c |    7 ++-----
   8  1 file changed, 2 insertions(+), 5 deletions(-)
   9
  10 diff --git a/src/dnssec.c b/src/dnssec.c
  11 index 4deda24..67ce486 100644
  12 --- a/src/dnssec.c
  13 +++ b/src/dnssec.c
  14 @@ -1232,11 +1232,8 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
  15
  16    /* If we return STAT_NO_SIG, name contains the name of the DS query */
  17    if (val == STAT_NO_SIG)
  18 -    {
  19 -      *keyname = 0;
  20 -      return val;
  21 -    }
  22 -
  23 +    return val;
  24 +
  25    /* If the key needed to validate the DS is on the same domain as the DS, we'll
  26       loop getting nowhere. Stop that now. This can happen of the DS answer comes
  27       from the DS's zone, and not the parent zone. */
  28 --
  29 1.7.10.4
  30