resolved: when caching negative responses, honour NSEC/NSEC3 TTLs - ~lukeshu/systemd - Unnamed repository; edit this file 'description' to name the repository.

diff options

author	Lennart Poettering <lennart@poettering.net>	2016-01-05 01:35:28 +0100
committer	Lennart Poettering <lennart@poettering.net>	2016-01-05 01:35:28 +0100
commit	d3760be01b120df8980c056ecc85a4229d660264 (patch)
tree	ca9c2938ae603d2438e8c65a5c0c2885f0a8e3e7 /src/resolve/resolved-dns-trust-anchor.c
parent	519d39deeeec7121649f28e7287b7790e50d2979 (diff)

resolved: when caching negative responses, honour NSEC/NSEC3 TTLs

When storing negative responses, clamp the SOA minimum TTL (as suggested by RFC2308) to the TTL of the NSEC/NSEC3 RRs we used to prove non-existance, if it there is any. This is necessary since otherwise an attacker might put together a faked negative response for one of our question including a high-ttl SOA RR for any parent zone, and we'd use trust the TTL.

Diffstat (limited to 'src/resolve/resolved-dns-trust-anchor.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: