From 3c87eb6c49649d3cc52a6cbdfe25da5556aa4a82 Mon Sep 17 00:00:00 2001 From: Wouter Wijngaards Date: Tue, 29 Mar 2011 09:47:54 +0000 Subject: [PATCH] - harden-below-nxdomain: changed so that it activates when the cached nxdomain is dnssec secure. This avoids backwards incompatibility because those old servers do not have dnssec. git-svn-id: file:///svn/unbound/trunk@2407 be551aaa-1e26-0410-a405-d3ace91eadb9 --- doc/Changelog | 5 +++++ doc/unbound.conf.5.in | 4 +++- services/cache/dns.c | 2 +- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/doc/Changelog b/doc/Changelog index e12ddab46..af3822a0e 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,8 @@ +29 March 2011: Wouter + - harden-below-nxdomain: changed so that it activates when the + cached nxdomain is dnssec secure. This avoids backwards + incompatibility because those old servers do not have dnssec. + 24 March 2011: Wouter - iana portlist updated. - release 1.4.9. diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index c700637ec..c214e23da 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -471,7 +471,9 @@ From draft-vixie-dnsext-resimprove, returns nxdomain to queries for a name below another name that is already known to be nxdomain. DNSSEC mandates noerror for empty nonterminals, hence this is possible. Very old software might return nxdomain for empty nonterminals (that usually happen for reverse -IP address lookups), and thus may be incompatible with this. Default is off. +IP address lookups), and thus may be incompatible with this. To try to avoid +this only DNSSEC-secure nxdomains are used, because the old software does not +have DNSSEC. Default is off. .TP .B harden\-referral\-path: \fI Harden the referral path by performing additional queries for diff --git a/services/cache/dns.c b/services/cache/dns.c index 9a21516c8..2fb8a6436 100644 --- a/services/cache/dns.c +++ b/services/cache/dns.c @@ -685,7 +685,7 @@ dns_cache_lookup(struct module_env* env, struct reply_info* data = (struct reply_info*)e->data; struct dns_msg* msg; if(FLAGS_GET_RCODE(data->flags) == LDNS_RCODE_NXDOMAIN - && data->security != sec_status_bogus + && data->security == sec_status_secure && (msg=tomsg(env, &k, data, region, now, scratch))){ lock_rw_unlock(&e->lock); msg->qinfo.qname=qname; -- 2.47.2