From 24a5b982cf5aac97488eb94dba18d71e8b2b411a Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 14 Dec 2015 21:22:40 +0100 Subject: resolved: always consider NSEC/NSEC3 RRs as "primary" It's not OK to drop these for our proof of non-existance checks. --- src/resolve/resolved-dns-transaction.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'src/resolve') diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c index 82b49c1440..045627340b 100644 --- a/src/resolve/resolved-dns-transaction.c +++ b/src/resolve/resolved-dns-transaction.c @@ -1288,7 +1288,10 @@ static int dns_transaction_is_primary_response(DnsTransaction *t, DnsResourceRec /* Check if the specified RR is the "primary" response, * i.e. either matches the question precisely or is a - * CNAME/DNAME for it */ + * CNAME/DNAME for it, or is any kind of NSEC/NSEC3 RR */ + + if (IN_SET(rr->key->type, DNS_TYPE_NSEC, DNS_TYPE_NSEC3)) + return 1; r = dns_resource_key_match_rr(t->key, rr, NULL); if (r != 0) -- cgit v1.2.3-54-g00ecf