summaryrefslogtreecommitdiff
path: root/src/resolve
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2016-01-10 23:02:52 +0100
committerLennart Poettering <lennart@poettering.net>2016-01-11 19:40:00 +0100
commit372dd764a6be504eb4b1fbe326ab8fa6ce66fd5d (patch)
treed6e56595295b8b3edaef9fc6491d2d3b62c9be4a /src/resolve
parent92ec902aad1ade7acbe50efd7b8ef87fbdc63af3 (diff)
resolved: accept rightfully unsigned NSEC responses
Diffstat (limited to 'src/resolve')
-rw-r--r--src/resolve/resolved-dns-transaction.c22
1 files changed, 13 insertions, 9 deletions
diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
index aa1970bc34..14a5c0f06a 100644
--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
@@ -2552,18 +2552,22 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) {
return r;
/* Unless the NSEC proof showed that the key really doesn't exist something is off. */
- if (r == 0 || !authenticated)
+ if (r == 0)
result = DNSSEC_INVALID;
+ else {
+ r = dns_answer_move_by_key(&validated, &t->answer, rr->key, authenticated ? (DNS_ANSWER_AUTHENTICATED|DNS_ANSWER_CACHEABLE) : 0);
+ if (r < 0)
+ return r;
- r = dns_answer_move_by_key(&validated, &t->answer, rr->key, DNS_ANSWER_AUTHENTICATED|DNS_ANSWER_CACHEABLE);
- if (r < 0)
- return r;
-
- t->scope->manager->n_dnssec_secure++;
+ if (authenticated)
+ t->scope->manager->n_dnssec_secure++;
+ else
+ t->scope->manager->n_dnssec_insecure++;
- /* Exit the loop, we dropped something from the answer, start from the beginning */
- changed = true;
- break;
+ /* Exit the loop, we dropped something from the answer, start from the beginning */
+ changed = true;
+ break;
+ }
}
if (result == DNSSEC_NO_SIGNATURE) {