resolved: when caching negative responses, honour NSEC/NSEC3 TTLs

When storing negative responses, clamp the SOA minimum TTL (as suggested by RFC2308) to the TTL of the NSEC/NSEC3 RRs we used to prove non-existance, if it there is any. This is necessary since otherwise an attacker might put together a faked negative response for one of our question including a high-ttl SOA RR for any parent zone, and we'd use trust the TTL.
author: Lennart Poettering <lennart@poettering.net> 2016-01-05 01:35:28 +0100
committer: Lennart Poettering <lennart@poettering.net> 2016-01-05 01:35:28 +0100
commit: d3760be01b120df8980c056ecc85a4229d660264 (patch)
tree: ca9c2938ae603d2438e8c65a5c0c2885f0a8e3e7 /src/resolve/resolved-dns-transaction.h
parent: 519d39deeeec7121649f28e7287b7790e50d2979 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/src/resolve/resolved-dns-transaction.h b/src/resolve/resolved-dns-transaction.h
index e0f29d95e7..ede33f9547 100644
--- a/src/resolve/resolved-dns-transaction.h
+++ b/src/resolve/resolved-dns-transaction.h
@@ -81,6 +81,7 @@ struct DnsTransaction {
         int answer_rcode;
         DnssecResult answer_dnssec_result;
         DnsTransactionSource answer_source;
+        uint32_t answer_nsec_ttl;
 
         /* Indicates whether the primary answer is authenticated,
          * i.e. whether the RRs from answer which directly match the
author	Lennart Poettering <lennart@poettering.net>	2016-01-05 01:35:28 +0100
committer	Lennart Poettering <lennart@poettering.net>	2016-01-05 01:35:28 +0100
commit	d3760be01b120df8980c056ecc85a4229d660264 (patch)
tree	ca9c2938ae603d2438e8c65a5c0c2885f0a8e3e7 /src/resolve/resolved-dns-transaction.h
parent	519d39deeeec7121649f28e7287b7790e50d2979 (diff)