From fd009cd80e511587c6afae59da8aff14e5e18fa3 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 18 Dec 2015 19:12:48 +0100
Subject: resolved: check SOA authentication state when negative caching

We should never use the TTL of an unauthenticated SOA to cache an
authenticated RR.
---
 src/resolve/resolved-dns-cache.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'src/resolve/resolved-dns-cache.c')

diff --git a/src/resolve/resolved-dns-cache.c b/src/resolve/resolved-dns-cache.c
index 31325ecc88..df397e1ddd 100644
--- a/src/resolve/resolved-dns-cache.c
+++ b/src/resolve/resolved-dns-cache.c
@@ -529,12 +529,17 @@ int dns_cache_put(
          * matching SOA record in the packet is used to to enable
          * negative caching. */
 
-        r = dns_answer_find_soa(answer, key, &soa);
+        r = dns_answer_find_soa(answer, key, &soa, &flags);
         if (r < 0)
                 goto fail;
         if (r == 0)
                 return 0;
 
+        /* Refuse using the SOA data if it is unsigned, but the key is
+         * signed */
+        if (authenticated && (flags & DNS_ANSWER_AUTHENTICATED) == 0)
+                return 0;
+
         r = dns_cache_put_negative(c, key, rcode, authenticated, timestamp, MIN(soa->soa.minimum, soa->ttl), owner_family, owner_address);
         if (r < 0)
                 goto fail;
-- 
cgit v1.2.3-54-g00ecf