summaryrefslogtreecommitdiff
path: root/catalog
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2016-05-02 18:29:28 +0200
committerLennart Poettering <lennart@poettering.net>2016-05-02 18:29:28 +0200
commit4bbc06cc9e3b8c61c1ae3c4ee72bc834efd63fea (patch)
tree7680bc3b560215e6880d085fb02c7b865c9bf7e8 /catalog
parent33e40442c6c5d296dfaa733b8429bff1a24869cc (diff)
resolved: work around broken DNS zones set up by incapdns.net
incapdns.net returns NXDOMAIN for the SOA of the zone itself but is not a terminal. This is against the specs, but we really should be able to deal with this. Previously, when verifying whether an NXDOMAIN response for a SOA/NS lookup is rightfully unsigned we'd issue a SOA lookup for the parent's domain, to derive the state from that. If the parent SOA would get an NXDOMAIN, we'd continue upwards, until we hit a signed top-level domain, which suggests that the domain actually exists. With this change whenver we need to authenticate an NXDOMAIN SOA reply, we'll request the DS RR for the zone first, and use for validation, since that this must be from the parent's zone, not the incorrect lower zone. Fixes: #2894
Diffstat (limited to 'catalog')
0 files changed, 0 insertions, 0 deletions