Fix DNSSEC validation of ANY queries.

diff --git a/CHANGELOG b/CHANGELOG
index e0d2fed7c4591d60da2a2af38877f743431944cc..55c33b9f5fe4ce1246e0d4de66413488c761cb30 100644 (file)
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,17 @@
+version 2.71
+            Subtle change to error handling to help DNSSEC validation 
+           when servers fail to provide NODATA answers for 
+           non-existent DS records.
+
+           Tweak code which removes DNSSEC records from answers when
+           not required. Fixes broken answers when additional section
+           has real records in it. Thanks to Marco Davids for the bug 
+           report.
+
+           Fix DNSSEC validation of ANY queries. Thanks to Marco Davids
+           for spotting that too.
+
+
 version 2.70
             Fix crash, introduced in 2.69, on TCP request when dnsmasq
            compiled with DNSSEC support, but running without DNSSEC

diff --git a/src/dnssec.c b/src/dnssec.c
index 1aea2998c05b4e95fdc6bc727dd8041d5db469b8..47ecc51d2cad491ce9355bf902010b142d49f996 100644 (file)
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -1682,6 +1682,9 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
   GETSHORT(qtype, p1);
   GETSHORT(qclass, p1);
   ans_start = p1;
+
+  if (qtype == T_ANY)
+    have_answer = 1;
  
   /* Can't validate an RRISG query */
   if (qtype == T_RRSIG)