From: Simon Kelley Date: Tue, 12 Jan 2016 11:28:58 +0000 (+0000) Subject: DNSSEC: Handle non-root trust anchors, and check we have a root trust anchor. X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a63b8b89e66a097fca7cba3efc7923636574ec2c;p=people%2Fms%2Fdnsmasq.git DNSSEC: Handle non-root trust anchors, and check we have a root trust anchor. --- diff --git a/src/dnsmasq.c b/src/dnsmasq.c index 8032fc7..e993629 100644 --- a/src/dnsmasq.c +++ b/src/dnsmasq.c @@ -169,8 +169,16 @@ int main (int argc, char **argv) if (option_bool(OPT_DNSSEC_VALID)) { #ifdef HAVE_DNSSEC - if (!daemon->ds) - die(_("no trust anchors provided for DNSSEC"), NULL, EC_BADCONF); + struct ds_config *ds; + + /* Must have at least a root trust anchor, or the DNSSEC code + can loop forever. */ + for (ds = daemon->ds; ds; ds = ds->next) + if (ds->name[0] == 0) + break; + + if (!ds) + die(_("no root trust anchor provided for DNSSEC"), NULL, EC_BADCONF); if (daemon->cachesize < CACHESIZ) die(_("cannot reduce cache size from default when DNSSEC enabled"), NULL, EC_BADCONF); diff --git a/src/dnssec.c b/src/dnssec.c index a432ebf..18efa59 100644 --- a/src/dnssec.c +++ b/src/dnssec.c @@ -1873,10 +1873,27 @@ static int prove_non_existence(struct dns_header *header, size_t plen, char *key */ static int zone_status(char *name, int class, char *keyname, time_t now) { - int name_start = strlen(name); + int name_start = strlen(name); /* for when TA is root */ struct crec *crecp; char *p; + + /* First, work towards the root, looking for a trust anchor. + This can either be one configured, or one previously cached. + We can assume, if we don't find one first, that there is + a trust anchor at the root. */ + for (p = name; p; p = strchr(p, '.')) + { + if (*p == '.') + p++; + + if (cache_find_by_name(NULL, p, now, F_DS)) + { + name_start = p - name; + break; + } + } + /* Now work away from the trust anchor */ while (1) { strcpy(keyname, &name[name_start]);