Don't fail DNSSEC when a signed CNAME dangles into an unsigned zone.

author: Simon Kelley <simon@thekelleys.org.uk> 2015-03-26 21:15:43 +0000
committer: Simon Kelley <simon@thekelleys.org.uk> 2015-03-26 21:15:43 +0000
commit: 8805283088d670baecb92569252c01cf754cda51 (patch)
tree: e72ca00a8d7fde99a9254ba06494dcf852d290aa
parent: 65c721200023ef0023114459a8d12f8b0a24cfd8 (diff)
download: dnsmasq-8805283088d670baecb92569252c01cf754cda51.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/src/dnssec.c b/src/dnssec.c
index ad0d6f0..db5c768 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -2032,7 +2032,8 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
   /* NXDOMAIN or NODATA reply, prove that (name, class1, type1) can't exist */
   /* First marshall the NSEC records, if we've not done it previously */
   if (!nsec_type && !(nsec_type = find_nsec_records(header, plen, &nsecs, &nsec_count, qclass)))
-    return STAT_BOGUS; /* No NSECs */
+    return STAT_NO_SIG; /* No NSECs, this is probably a dangling CNAME pointing into
+			   an unsigned zone. Return STAT_NO_SIG to cause this to be proved. */
    
   /* Get name of missing answer */
   if (!extract_name(header, plen, &qname, name, 1, 0))
author	Simon Kelley <simon@thekelleys.org.uk>	2015-03-26 21:15:43 +0000
committer	Simon Kelley <simon@thekelleys.org.uk>	2015-03-26 21:15:43 +0000
commit	8805283088d670baecb92569252c01cf754cda51 (patch)
tree	e72ca00a8d7fde99a9254ba06494dcf852d290aa
parent	65c721200023ef0023114459a8d12f8b0a24cfd8 (diff)
download	dnsmasq-8805283088d670baecb92569252c01cf754cda51.tar.gz