--------
- TCP to upstream: don't send wrong message length (unlikely, !816)
- http module: fix problems around maintenance of ephemeral certs (!819)
+- send EDNS with SERVFAILs, e.g. on validation failures (#180, !827)
Knot Resolver 4.0.0 (2019-04-18)
static int answer_fail(struct kr_request *request)
{
+ /* Note: OPT in SERVFAIL response is still useful for cookies/additional info. */
knot_pkt_t *answer = request->answer;
+ knot_rrset_t *opt_rr = answer->opt_rr; /* it gets NULLed below */
int ret = kr_pkt_clear_payload(answer);
knot_wire_clear_ad(answer->wire);
knot_wire_clear_aa(answer->wire);
knot_wire_set_rcode(answer->wire, KNOT_RCODE_SERVFAIL);
- if (ret == 0 && answer->opt_rr) {
- /* OPT in SERVFAIL response is still useful for cookies/additional info. */
+ if (ret == 0 && opt_rr) {
knot_pkt_begin(answer, KNOT_ADDITIONAL);
answer_padding(request); /* Ignore failed padding in SERVFAIL answer. */
+ answer->opt_rr = opt_rr;
ret = edns_put(answer, false);
}
return ret;
{
/* Finalize answer and construct wire-buffer. */
ITERATE_LAYERS(request, NULL, answer_finalize);
- if (request->state & KR_STATE_FAIL) {
- state = KR_STATE_FAIL;
- } else if (answer_finalize(request, state) != 0) {
+ if (answer_finalize(request, state) != 0) {
state = KR_STATE_FAIL;
}
projects / thirdparty / knot-resolver.git / commitdiff
