summaryrefslogtreecommitdiff
path: root/src/socket-proxy
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2016-01-05 22:13:56 +0100
committerLennart Poettering <lennart@poettering.net>2016-01-05 22:13:56 +0100
commitd33b6cf343f5a1e073c3060878d2cc5fed54d150 (patch)
tree815e916b2e147681b2eb532322703d3bd365c989 /src/socket-proxy
parent105f6c4bdcdd9c7233370f1bc143913d5ab0d099 (diff)
resolved: try to detect fritz.box-style private DNS zones, and downgrade to non-DNSSEC mode for them
This adds logic to detect cases like the Fritz!Box routers which serve a private DNS domain "fritz.box" under the TLD "box" that does not exist in the root servers. If this is detected DNSSEC validation is turned off for this private domain, thus improving compatibility with such private DNS zones. This should be fairly secure as we first rely on the proof that .box does not exist before this logic is applied. Nevertheless the logic is only enabled for DNSSEC=allow-downgrade mode. This logic does not work for routers that set up a full DNS zone directly under a non-existing TLD, as in that case we cannot prove that the domain is truly non-existing according to the root servers.
Diffstat (limited to 'src/socket-proxy')
0 files changed, 0 insertions, 0 deletions