From: Simon Kelley Date: Thu, 26 Mar 2015 21:15:43 +0000 (+0000) Subject: Don't fail DNSSEC when a signed CNAME dangles into an unsigned zone. X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8805283088d670baecb92569252c01cf754cda51;p=people%2Fms%2Fdnsmasq.git Don't fail DNSSEC when a signed CNAME dangles into an unsigned zone. --- diff --git a/src/dnssec.c b/src/dnssec.c index ad0d6f0..db5c768 100644 --- a/src/dnssec.c +++ b/src/dnssec.c @@ -2032,7 +2032,8 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch /* NXDOMAIN or NODATA reply, prove that (name, class1, type1) can't exist */ /* First marshall the NSEC records, if we've not done it previously */ if (!nsec_type && !(nsec_type = find_nsec_records(header, plen, &nsecs, &nsec_count, qclass))) - return STAT_BOGUS; /* No NSECs */ + return STAT_NO_SIG; /* No NSECs, this is probably a dangling CNAME pointing into + an unsigned zone. Return STAT_NO_SIG to cause this to be proved. */ /* Get name of missing answer */ if (!extract_name(header, plen, &qname, name, 1, 0))