diff options
author | Simon Kelley <simon@thekelleys.org.uk> | 2014-02-25 23:13:28 +0000 |
---|---|---|
committer | Simon Kelley <simon@thekelleys.org.uk> | 2014-02-25 23:13:28 +0000 |
commit | b47b04c8460321d18bd76e641f7cf2ba626e32ad (patch) | |
tree | df46f7bdfe9f36596943a4dedd732f594794f3ed | |
parent | 613ad15d02154f39e5335697035136b4dbe92b4d (diff) | |
download | dnsmasq-b47b04c8460321d18bd76e641f7cf2ba626e32ad.tar.gz |
Return INSECURE when validation fails with proved non-existent DS.
-rw-r--r-- | src/dnssec.c | 14 |
1 files changed, 9 insertions, 5 deletions
diff --git a/src/dnssec.c b/src/dnssec.c index a902ded..8a99a26 100644 --- a/src/dnssec.c +++ b/src/dnssec.c @@ -1072,10 +1072,10 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char GETSHORT(qtype, p); GETSHORT(qclass, p); - if (qtype != T_DS || qclass != class || ntohs(header->ancount) == 0) - return STAT_BOGUS; - - val = dnssec_validate_reply(now, header, plen, name, keyname, NULL); + if (qtype != T_DS || qclass != class) + val = STAT_BOGUS; + else + val = dnssec_validate_reply(now, header, plen, name, keyname, NULL); if (val == STAT_BOGUS) { @@ -1083,7 +1083,11 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char extract_name(header, plen, &p, name, 1, 4); log_query(F_UPSTREAM, name, NULL, "BOGUS DS"); } - + + /* proved that no DS exists, can't validate */ + if (val == STAT_SECURE && ntohs(header->ancount) == 0) + return STAT_INSECURE; + return val; } |