diff options
| author | Simon Kelley <simon@thekelleys.org.uk> | 2014-02-24 20:20:00 +0000 |
|---|---|---|
| committer | Simon Kelley <simon@thekelleys.org.uk> | 2014-02-24 20:20:00 +0000 |
| commit | f01d7be6c647cc41f4911cdedadf739e24b08f28 (patch) | |
| tree | dc5b01e78c357d73f96fa29a4063e0554eb6e688 | |
| parent | d387380a250843e1790d6d3d9e2d0464afd3bf87 (diff) | |
| download | dnsmasq-f01d7be6c647cc41f4911cdedadf739e24b08f28.tar.gz | |
An NSEC record cannot attest to its own non-existance!
| -rw-r--r-- | src/dnssec.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/src/dnssec.c b/src/dnssec.c index 12d8ac3..7c09d0d 100644 --- a/src/dnssec.c +++ b/src/dnssec.c @@ -860,7 +860,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch GETSHORT(qclass, p); if (qtype != T_DNSKEY || qclass != class || ntohs(header->ancount) == 0) - return STAT_INSECURE; + return STAT_BOGUS; /* See if we have cached a DS record which validates this key */ if (!(crecp = cache_find_by_name(NULL, name, now, F_DS))) @@ -894,7 +894,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch GETSHORT(flags, p); if (*p++ != 3) - return STAT_INSECURE; + return STAT_BOGUS; algo = *p++; keytag = dnskey_keytag(algo, flags, p, rdlen - 4); key = NULL; @@ -984,7 +984,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch GETSHORT(flags, p); if (*p++ != 3) - return STAT_INSECURE; + return STAT_BOGUS; algo = *p++; keytag = dnskey_keytag(algo, flags, p, rdlen - 4); @@ -1080,7 +1080,7 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char GETSHORT(qclass, p); if (qtype != T_DS || qclass != class || ntohs(header->ancount) == 0) - return STAT_INSECURE; + return STAT_BOGUS; val = dnssec_validate_reply(now, header, plen, name, keyname, NULL); @@ -1255,6 +1255,10 @@ static int prove_non_existance_nsec(struct dns_header *header, size_t plen, unsi if (rc == 0) { + /* 4035 para 5.4. Last sentence */ + if (type == T_NSEC || type == T_RRSIG) + return STAT_SECURE; + /* NSEC with the same name as the RR we're testing, check that the type in question doesn't appear in the type map */ rdlen -= p - psave; |