resolved: check SOA authentication state when negative caching

We should never use the TTL of an unauthenticated SOA to cache an authenticated RR.
author: Lennart Poettering <lennart@poettering.net> 2015-12-18 19:12:48 +0100
committer: Lennart Poettering <lennart@poettering.net> 2015-12-18 19:12:48 +0100
commit: fd009cd80e511587c6afae59da8aff14e5e18fa3 (patch)
tree: 6ea8073a316773e35f1f830f6b7b65bd381e012e /src/resolve/resolved-dns-cache.c
parent: 1069048089d12462ccc1ce273802ef517433aff5 (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/src/resolve/resolved-dns-cache.c b/src/resolve/resolved-dns-cache.c
index 31325ecc88..df397e1ddd 100644
--- a/src/resolve/resolved-dns-cache.c
+++ b/src/resolve/resolved-dns-cache.c
@@ -529,12 +529,17 @@ int dns_cache_put(
          * matching SOA record in the packet is used to to enable
          * negative caching. */
 
-        r = dns_answer_find_soa(answer, key, &soa);
+        r = dns_answer_find_soa(answer, key, &soa, &flags);
         if (r < 0)
                 goto fail;
         if (r == 0)
                 return 0;
 
+        /* Refuse using the SOA data if it is unsigned, but the key is
+         * signed */
+        if (authenticated && (flags & DNS_ANSWER_AUTHENTICATED) == 0)
+                return 0;
+
         r = dns_cache_put_negative(c, key, rcode, authenticated, timestamp, MIN(soa->soa.minimum, soa->ttl), owner_family, owner_address);
         if (r < 0)
                 goto fail;
author	Lennart Poettering <lennart@poettering.net>	2015-12-18 19:12:48 +0100
committer	Lennart Poettering <lennart@poettering.net>	2015-12-18 19:12:48 +0100
commit	fd009cd80e511587c6afae59da8aff14e5e18fa3 (patch)
tree	6ea8073a316773e35f1f830f6b7b65bd381e012e /src/resolve/resolved-dns-cache.c
parent	1069048089d12462ccc1ce273802ef517433aff5 (diff)