diff options
author | Lennart Poettering <lennart@poettering.net> | 2016-01-10 23:02:52 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2016-01-11 19:40:00 +0100 |
commit | 372dd764a6be504eb4b1fbe326ab8fa6ce66fd5d (patch) | |
tree | d6e56595295b8b3edaef9fc6491d2d3b62c9be4a /src/resolve | |
parent | 92ec902aad1ade7acbe50efd7b8ef87fbdc63af3 (diff) |
resolved: accept rightfully unsigned NSEC responses
Diffstat (limited to 'src/resolve')
-rw-r--r-- | src/resolve/resolved-dns-transaction.c | 22 |
1 files changed, 13 insertions, 9 deletions
diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c index aa1970bc34..14a5c0f06a 100644 --- a/src/resolve/resolved-dns-transaction.c +++ b/src/resolve/resolved-dns-transaction.c @@ -2552,18 +2552,22 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) { return r; /* Unless the NSEC proof showed that the key really doesn't exist something is off. */ - if (r == 0 || !authenticated) + if (r == 0) result = DNSSEC_INVALID; + else { + r = dns_answer_move_by_key(&validated, &t->answer, rr->key, authenticated ? (DNS_ANSWER_AUTHENTICATED|DNS_ANSWER_CACHEABLE) : 0); + if (r < 0) + return r; - r = dns_answer_move_by_key(&validated, &t->answer, rr->key, DNS_ANSWER_AUTHENTICATED|DNS_ANSWER_CACHEABLE); - if (r < 0) - return r; - - t->scope->manager->n_dnssec_secure++; + if (authenticated) + t->scope->manager->n_dnssec_secure++; + else + t->scope->manager->n_dnssec_insecure++; - /* Exit the loop, we dropped something from the answer, start from the beginning */ - changed = true; - break; + /* Exit the loop, we dropped something from the answer, start from the beginning */ + changed = true; + break; + } } if (result == DNSSEC_NO_SIGNATURE) { |