]> git.ipfire.org Git - thirdparty/knot-resolver.git/commitdiff
projects / thirdparty / knot-resolver.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b3785d7)
validate: avoid DNSSEC_NODS for . DS queries
authorVladimír Čunát <vladimir.cunat@nic.cz>
Mon, 9 Apr 2018 13:01:48 +0000 (15:01 +0200)
committerPetr Špaček <petr.spacek@nic.cz>
Thu, 12 Apr 2018 10:14:50 +0000 (12:14 +0200)
... after the parent commit. Perhaps it can't cause trouble,
but I'll feel safer this way.

lib/layer/validate.c patch | blob | blame | history

diff --git a/lib/layer/validate.c b/lib/layer/validate.c
index 7f5e69659880f8a15ce09b6232a30ae1c1f0863f..38cd169f48af393574d3f08c2f5ab790b50eb904 100644 (file)
--- a/lib/layer/validate.c
+++ b/lib/layer/validate.c
@@ -414,7 +414,7 @@ static int update_delegation(struct kr_request *req, struct kr_query *qry, knot_
                } else if (ret != 0) {
                        VERBOSE_MSG(qry, "<= bogus proof of DS non-existence\n");
                        qry->flags.DNSSEC_BOGUS = true;
-               } else {
+               } else if (proved_name[0] != '\0') { /* don't go to insecure for . DS */
                        VERBOSE_MSG(qry, "<= DS doesn't exist, going insecure\n");
                        qry->flags.DNSSEC_NODS = true;
                        /* Rank the corresponding nonauth NS as insecure. */
Mirror of https://gitlab.nic.cz/knot/knot-resolver.git