git.ipfire.org Git - thirdparty/bind9.git/commit

author	Michał Kępień <michal@isc.org>
	Wed, 24 Apr 2019 09:17:15 +0000 (11:17 +0200)
committer	Evan Hunt <each@isc.org>
	Fri, 10 May 2019 04:05:50 +0000 (21:05 -0700)
commit	f04f107b7ed73db3675457d88ffe176a7ae17f4b
tree	13169312baf7d981cf45af3b80832fa09e4af378	tree \| snapshot
parent	651aaf5542d0b86b2d19ba4eba0f3ab5939a5199	commit \| diff

Make NTAs work with validating forwarders

If named is configured to perform DNSSEC validation and also forwards
all queries ("forward only;") to validating resolvers, negative trust
anchors do not work properly because the CD bit is not set in queries
sent to the forwarders. As a result, instead of retrieving bogus DNSSEC
material and making validation decisions based on its configuration,
named is only receiving SERVFAIL responses to queries for bogus data.
Fix by ensuring the CD bit is always set in queries sent to forwarders
if the query name is covered by an NTA.

(cherry picked from commit 5e8048827015f4a04e61ae5f3c92758755fee6c3)

bin/tests/system/dnssec/ns1/sign.sh		diff \| blob \| blame \| history
bin/tests/system/dnssec/ns2/sign.sh		diff \| blob \| blame \| history
bin/tests/system/dnssec/ns9/named.conf.in	[new file with mode: 0644]	blob
bin/tests/system/dnssec/setup.sh		diff \| blob \| blame \| history
bin/tests/system/dnssec/tests.sh		diff \| blob \| blame \| history
lib/dns/include/dns/view.h		diff \| blob \| blame \| history
lib/dns/resolver.c		diff \| blob \| blame \| history
lib/dns/tests/keytable_test.c		diff \| blob \| blame \| history
lib/dns/view.c		diff \| blob \| blame \| history
util/copyrights		diff \| blob \| blame \| history