- harden-below-nxdomain: changed so that it activates when the

         cached nxdomain is dnssec secure.  This avoids backwards
         incompatibility because those old servers do not have dnssec.

git-svn-id: file:///svn/unbound/trunk@2407 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/doc/Changelog b/doc/Changelog
index e12ddab4633e60e4788f676bf4d2b9ce4807f927..af3822a0e73241695afa955eeb5f19cde60d8c20 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,8 @@
+29 March 2011: Wouter
+       - harden-below-nxdomain: changed so that it activates when the
+         cached nxdomain is dnssec secure.  This avoids backwards
+         incompatibility because those old servers do not have dnssec.
+
 24 March 2011: Wouter
        - iana portlist updated.
        - release 1.4.9.

diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index c700637ec21475894ebf99e2fb15db2f314686e9..c214e23da87a57f09d0845ae47498aa983147978 100644 (file)
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -471,7 +471,9 @@ From draft-vixie-dnsext-resimprove, returns nxdomain to queries for a name
 below another name that is already known to be nxdomain.  DNSSEC mandates
 noerror for empty nonterminals, hence this is possible.  Very old software
 might return nxdomain for empty nonterminals (that usually happen for reverse
-IP address lookups), and thus may be incompatible with this.  Default is off.
+IP address lookups), and thus may be incompatible with this.  To try to avoid
+this only DNSSEC-secure nxdomains are used, because the old software does not
+have DNSSEC.  Default is off.
 .TP
 .B harden\-referral\-path: \fI<yes or no>
 Harden the referral path by performing additional queries for

diff --git a/services/cache/dns.c b/services/cache/dns.c
index 9a21516c82448bcbcef9d20a552b5e870c90971e..2fb8a64369bb95e39b19edc771ddd1fa8d9c6174 100644 (file)
--- a/services/cache/dns.c
+++ b/services/cache/dns.c
@@ -685,7 +685,7 @@ dns_cache_lookup(struct module_env* env,
                        struct reply_info* data = (struct reply_info*)e->data;
                        struct dns_msg* msg;
                        if(FLAGS_GET_RCODE(data->flags) == LDNS_RCODE_NXDOMAIN
-                         && data->security != sec_status_bogus
+                         && data->security == sec_status_secure
                          && (msg=tomsg(env, &k, data, region, now, scratch))){
                                lock_rw_unlock(&e->lock);
                                msg->qinfo.qname=qname;