From: Lennart Poettering <lennart@poettering.net>
Date: Sun, 10 Jan 2016 22:02:52 +0000 (+0100)
Subject: resolved: accept rightfully unsigned NSEC responses
X-Git-Tag: v229~151^2~5
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=372dd764a6be504eb4b1fbe326ab8fa6ce66fd5d;p=thirdparty%2Fsystemd.git

resolved: accept rightfully unsigned NSEC responses
---

diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
index aa1970bc344..14a5c0f06af 100644
--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
@@ -2552,18 +2552,22 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) {
                                         return r;
 
                                 /* Unless the NSEC proof showed that the key really doesn't exist something is off. */
-                                if (r == 0 || !authenticated)
+                                if (r == 0)
                                         result = DNSSEC_INVALID;
+                                else {
+                                        r = dns_answer_move_by_key(&validated, &t->answer, rr->key, authenticated ? (DNS_ANSWER_AUTHENTICATED|DNS_ANSWER_CACHEABLE) : 0);
+                                        if (r < 0)
+                                                return r;
 
-                                r = dns_answer_move_by_key(&validated, &t->answer, rr->key, DNS_ANSWER_AUTHENTICATED|DNS_ANSWER_CACHEABLE);
-                                if (r < 0)
-                                        return r;
-
-                                t->scope->manager->n_dnssec_secure++;
+                                        if (authenticated)
+                                                t->scope->manager->n_dnssec_secure++;
+                                        else
+                                                t->scope->manager->n_dnssec_insecure++;
 
-                                /* Exit the loop, we dropped something from the answer, start from the beginning */
-                                changed = true;
-                                break;
+                                        /* Exit the loop, we dropped something from the answer, start from the beginning */
+                                        changed = true;
+                                        break;
+                                }
                         }
 
                         if (result == DNSSEC_NO_SIGNATURE) {