summaryrefslogtreecommitdiff
path: root/src/resolve/resolved-dns-answer.c
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2016-01-05 01:35:28 +0100
committerLennart Poettering <lennart@poettering.net>2016-01-05 01:35:28 +0100
commitd3760be01b120df8980c056ecc85a4229d660264 (patch)
treeca9c2938ae603d2438e8c65a5c0c2885f0a8e3e7 /src/resolve/resolved-dns-answer.c
parent519d39deeeec7121649f28e7287b7790e50d2979 (diff)
resolved: when caching negative responses, honour NSEC/NSEC3 TTLs
When storing negative responses, clamp the SOA minimum TTL (as suggested by RFC2308) to the TTL of the NSEC/NSEC3 RRs we used to prove non-existance, if it there is any. This is necessary since otherwise an attacker might put together a faked negative response for one of our question including a high-ttl SOA RR for any parent zone, and we'd use trust the TTL.
Diffstat (limited to 'src/resolve/resolved-dns-answer.c')
0 files changed, 0 insertions, 0 deletions