diff options
| author | Lennart Poettering <lennart@poettering.net> | 2016-01-11 20:15:28 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2016-01-11 20:15:28 +0100 |
| commit | 04680e36a490fe9db1a5245ba9586efd8e8284dc (patch) | |
| tree | c9bf7163c69eed0a83da0095cf32a3ae8c369fa3 /src | |
| parent | d0129ddb9fbb07bed7c8ea51b8031f824bf506fb (diff) | |
resolved: don#t allow explicit queries for RRSIG RRs
We wouldn't know how to validate them, since they are the signatures, and hence have no signatures.
Diffstat (limited to 'src')
| -rw-r--r-- | src/resolve/dns-type.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/src/resolve/dns-type.c b/src/resolve/dns-type.c index 2522374c33..fb8228048d 100644 --- a/src/resolve/dns-type.c +++ b/src/resolve/dns-type.c @@ -77,7 +77,13 @@ bool dns_type_is_valid_query(uint16_t type) { 0, DNS_TYPE_OPT, DNS_TYPE_TSIG, - DNS_TYPE_TKEY); + DNS_TYPE_TKEY, + + /* RRSIG are technically valid as questions, but we refuse doing explicit queries for them, as + * they aren't really payload, but signatures for payload, and cannot be validated on their + * own. After all they are the signatures, and have no signatures of their own validating + * them. */ + DNS_TYPE_RRSIG); } bool dns_type_is_valid_rr(uint16_t type) { |