diff options
| author | Lennart Poettering <lennart@poettering.net> | 2016-01-15 20:29:56 +0100 | 
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2016-01-17 20:47:46 +0100 | 
| commit | b64513580ce627578351b76a502455e7bc62cae4 (patch) | |
| tree | 1545212ce96a08644c26866c4444b9d991742a37 /src/shared/nss-util.h | |
| parent | de54e62b4bd7856fb897c9a2ee93cc228adb2135 (diff) | |
resolved: when we receive an reply which is OPT-less or RRSIG-less, downgrade what we verified
If we receive a reply that lacks the OPT RR, then this is reason to downgrade what was verified before, as it's
apparently no longer true, and the previous OPT RR we saw was only superficially OK.
Similar, if we realize that RRSIGs are not augmented, then also downgrade the feature level that was verified, as
DNSSEC is after all not supported. This check is in particular necessary, as we might notice the fact that RRSIG is not
augmented only very late, when verifying the root domain.
Also, when verifying a successful response, actually take in consideration that it might have been reported already
that RRSIG or OPT are missing in the response.
Diffstat (limited to 'src/shared/nss-util.h')
0 files changed, 0 insertions, 0 deletions
