22 February 2021: Wouter
- Fix #431: Squelch permission denied errors for tcp connect
and udp connect from the logs, unless at high verbosity.
+ - Fix for zonemd, that nxdomain for the chain of trust is allowed
+ for island zones, it is treates as an insecure zone for verification.
18 February 2021: Wouter
- Merge PR #317: ZONEMD Zone Verification, with RFC 8976 support.
"zonemd lookup of DNSKEY has nodata");
reason = "lookup of DNSKEY has nodata";
}
+ } else if(rep && rq.qtype == wanted_qtype &&
+ query_dname_compare(z->name, rq.qname) == 0 &&
+ FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN &&
+ sec == sec_status_secure) {
+ /* secure nxdomain, so the zone is like some RPZ zone
+ * that does not exist in the wider internet, with
+ * a secure nxdomain answer outside of it. So we
+ * treat the zonemd zone without a dnssec chain of
+ * trust, as insecure. */
+ is_insecure = 1;
+ auth_zone_log(z->name, VERB_ALGO,
+ "zonemd lookup of DNSKEY was secure NXDOMAIN, treat as insecure");
+ } else if(rep && rq.qtype == wanted_qtype &&
+ query_dname_compare(z->name, rq.qname) == 0 &&
+ FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN &&
+ sec == sec_status_insecure) {
+ is_insecure = 1;
+ auth_zone_log(z->name, VERB_ALGO,
+ "zonemd lookup of DNSKEY was insecure NXDOMAIN, treat as insecure");
+ } else if(rep && rq.qtype == wanted_qtype &&
+ query_dname_compare(z->name, rq.qname) == 0 &&
+ FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN &&
+ sec == sec_status_indeterminate) {
+ is_insecure = 1;
+ auth_zone_log(z->name, VERB_ALGO,
+ "zonemd lookup of DNSKEY was indeterminate NXDOMAIN, treat as insecure");
} else {
auth_zone_log(z->name, VERB_ALGO,
"zonemd lookup of DNSKEY has no answer");
projects / thirdparty / unbound.git / commitdiff
