diff options
author | Lennart Poettering <lennart@poettering.net> | 2016-01-05 01:35:28 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2016-01-05 01:35:28 +0100 |
commit | d3760be01b120df8980c056ecc85a4229d660264 (patch) | |
tree | ca9c2938ae603d2438e8c65a5c0c2885f0a8e3e7 /sysctl.d | |
parent | 519d39deeeec7121649f28e7287b7790e50d2979 (diff) |
resolved: when caching negative responses, honour NSEC/NSEC3 TTLs
When storing negative responses, clamp the SOA minimum TTL (as suggested
by RFC2308) to the TTL of the NSEC/NSEC3 RRs we used to prove
non-existance, if it there is any.
This is necessary since otherwise an attacker might put together a faked
negative response for one of our question including a high-ttl SOA RR
for any parent zone, and we'd use trust the TTL.
Diffstat (limited to 'sysctl.d')
0 files changed, 0 insertions, 0 deletions