diff options
author | Simon Kelley <simon@thekelleys.org.uk> | 2015-03-26 21:15:43 +0000 |
---|---|---|
committer | Simon Kelley <simon@thekelleys.org.uk> | 2015-03-26 21:15:43 +0000 |
commit | 8805283088d670baecb92569252c01cf754cda51 (patch) | |
tree | e72ca00a8d7fde99a9254ba06494dcf852d290aa | |
parent | 65c721200023ef0023114459a8d12f8b0a24cfd8 (diff) | |
download | dnsmasq-8805283088d670baecb92569252c01cf754cda51.tar.gz |
Don't fail DNSSEC when a signed CNAME dangles into an unsigned zone.
-rw-r--r-- | src/dnssec.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/dnssec.c b/src/dnssec.c index ad0d6f0..db5c768 100644 --- a/src/dnssec.c +++ b/src/dnssec.c @@ -2032,7 +2032,8 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch /* NXDOMAIN or NODATA reply, prove that (name, class1, type1) can't exist */ /* First marshall the NSEC records, if we've not done it previously */ if (!nsec_type && !(nsec_type = find_nsec_records(header, plen, &nsecs, &nsec_count, qclass))) - return STAT_BOGUS; /* No NSECs */ + return STAT_NO_SIG; /* No NSECs, this is probably a dangling CNAME pointing into + an unsigned zone. Return STAT_NO_SIG to cause this to be proved. */ /* Get name of missing answer */ if (!extract_name(header, plen, &qname, name, 1, 0)) |