]> git.ipfire.org Git - thirdparty/systemd.git/commit - src/resolve/resolved-dns-dnssec.c
projects / thirdparty / systemd.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 519d39d) | patch
resolved: when caching negative responses, honour NSEC/NSEC3 TTLs
authorLennart Poettering <lennart@poettering.net>
Tue, 5 Jan 2016 00:35:28 +0000 (01:35 +0100)
committerLennart Poettering <lennart@poettering.net>
Tue, 5 Jan 2016 00:35:28 +0000 (01:35 +0100)
commitd3760be01b120df8980c056ecc85a4229d660264
treeca9c2938ae603d2438e8c65a5c0c2885f0a8e3e7tree | snapshot
parent519d39deeeec7121649f28e7287b7790e50d2979commit | diff
resolved: when caching negative responses, honour NSEC/NSEC3 TTLs

When storing negative responses, clamp the SOA minimum TTL (as suggested
by RFC2308) to the TTL of the NSEC/NSEC3 RRs we used to prove
non-existance, if it there is any.

This is necessary since otherwise an attacker might put together a faked
negative response for one of our question including a high-ttl SOA RR
for any parent zone, and we'd use trust the TTL.
src/resolve/resolved-dns-cache.c diff | blob | blame | history
src/resolve/resolved-dns-cache.h diff | blob | blame | history
src/resolve/resolved-dns-dnssec.c diff | blob | blame | history
src/resolve/resolved-dns-dnssec.h diff | blob | blame | history
src/resolve/resolved-dns-transaction.c diff | blob | blame | history
src/resolve/resolved-dns-transaction.h diff | blob | blame | history
src/resolve/resolved-mdns.c diff | blob | blame | history
Unnamed repository; edit this file 'description' to name the repository.