summaryrefslogtreecommitdiff
path: root/src/resolve/resolved-dns-cache.c
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2015-12-18 19:12:48 +0100
committerLennart Poettering <lennart@poettering.net>2015-12-18 19:12:48 +0100
commitfd009cd80e511587c6afae59da8aff14e5e18fa3 (patch)
tree6ea8073a316773e35f1f830f6b7b65bd381e012e /src/resolve/resolved-dns-cache.c
parent1069048089d12462ccc1ce273802ef517433aff5 (diff)
resolved: check SOA authentication state when negative caching
We should never use the TTL of an unauthenticated SOA to cache an authenticated RR.
Diffstat (limited to 'src/resolve/resolved-dns-cache.c')
-rw-r--r--src/resolve/resolved-dns-cache.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/src/resolve/resolved-dns-cache.c b/src/resolve/resolved-dns-cache.c
index 31325ecc88..df397e1ddd 100644
--- a/src/resolve/resolved-dns-cache.c
+++ b/src/resolve/resolved-dns-cache.c
@@ -529,12 +529,17 @@ int dns_cache_put(
* matching SOA record in the packet is used to to enable
* negative caching. */
- r = dns_answer_find_soa(answer, key, &soa);
+ r = dns_answer_find_soa(answer, key, &soa, &flags);
if (r < 0)
goto fail;
if (r == 0)
return 0;
+ /* Refuse using the SOA data if it is unsigned, but the key is
+ * signed */
+ if (authenticated && (flags & DNS_ANSWER_AUTHENTICATED) == 0)
+ return 0;
+
r = dns_cache_put_negative(c, key, rcode, authenticated, timestamp, MIN(soa->soa.minimum, soa->ttl), owner_family, owner_address);
if (r < 0)
goto fail;