summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2016-01-22 18:43:41 +0100
committerLennart Poettering <lennart@poettering.net>2016-01-25 17:19:20 +0100
commitcbd100ac7cb74d7d44c7e6dda09d26b2616776f7 (patch)
tree884ee240b57ddaf537e394d4fa9bcf2ef6ed5bf2
parentab88b6d087c89fb052cedc6f145339fd24c1138e (diff)
resolved: don't insist in RRSIG metadata for NSEC3 RRs that have not been authenticated
In some cases we get NSEC3 RRs that have not been authenticated (because the chain of trust to the root is somewhere broken). We can use these for checking negative replies, as long as we don't claim they were ultimately authenticated. This means we need to be able to deal with NSEC3 RRs that lack RRSIG metadata.
-rw-r--r--src/resolve/resolved-dns-dnssec.c7
1 files changed, 4 insertions, 3 deletions
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
index eb217b1f2d..8e3c78e7bf 100644
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@@ -1267,11 +1267,12 @@ static int nsec3_is_good(DnsResourceRecord *rr, DnsResourceRecord *nsec3) {
if (rr->nsec3.iterations > NSEC3_ITERATIONS_MAX)
return 0;
- /* Ignore NSEC3 RRs generated from wildcards */
- if (rr->n_skip_labels_source != 0)
+ /* Ignore NSEC3 RRs generated from wildcards. If these NSEC3 RRs weren't correctly signed we can't make this
+ * check (since rr->n_skip_labels_source is -1), but that's OK, as we won't trust them anyway in that case. */
+ if (rr->n_skip_labels_source != 0 && rr->n_skip_labels_source != (unsigned) -1)
return 0;
/* Ignore NSEC3 RRs that are located anywhere else than one label below the zone */
- if (rr->n_skip_labels_signer != 1)
+ if (rr->n_skip_labels_signer != 1 && rr->n_skip_labels_signer != (unsigned) -1)
return 0;
if (!nsec3)