Fix DNSSEC validation of ANY queries.

author: Simon Kelley <simon@thekelleys.org.uk> 2014-04-29 13:02:41 +0100
committer: Simon Kelley <simon@thekelleys.org.uk> 2014-04-29 13:02:41 +0100
commit: 9d1b22aac29cfe0d820e6f49fa089a5a67d1b2ec (patch)
tree: 3ad295337c97091e7f6e29adf58ccbbabd6c9de1
parent: 1fc02680afbc5f263321cfa2c0101820246d79cb (diff)
download: dnsmasq-9d1b22aac29cfe0d820e6f49fa089a5a67d1b2ec.tar.gz
2 files changed, 17 insertions, 0 deletions
diff --git a/CHANGELOG b/CHANGELOG
index e0d2fed..55c33b9 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,17 @@
+version 2.71
+            Subtle change to error handling to help DNSSEC validation 
+	    when servers fail to provide NODATA answers for 
+	    non-existent DS records.
+
+	    Tweak code which removes DNSSEC records from answers when
+	    not required. Fixes broken answers when additional section
+	    has real records in it. Thanks to Marco Davids for the bug 
+	    report.
+
+	    Fix DNSSEC validation of ANY queries. Thanks to Marco Davids
+	    for spotting that too.
+
+
 version 2.70
             Fix crash, introduced in 2.69, on TCP request when dnsmasq
 	    compiled with DNSSEC support, but running without DNSSEC
diff --git a/src/dnssec.c b/src/dnssec.c
index 1aea299..47ecc51 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -1682,6 +1682,9 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
   GETSHORT(qtype, p1);
   GETSHORT(qclass, p1);
   ans_start = p1;
+
+  if (qtype == T_ANY)
+    have_answer = 1;
  
   /* Can't validate an RRISG query */
   if (qtype == T_RRSIG)
author	Simon Kelley <simon@thekelleys.org.uk>	2014-04-29 13:02:41 +0100
committer	Simon Kelley <simon@thekelleys.org.uk>	2014-04-29 13:02:41 +0100
commit	9d1b22aac29cfe0d820e6f49fa089a5a67d1b2ec (patch)
tree	3ad295337c97091e7f6e29adf58ccbbabd6c9de1
parent	1fc02680afbc5f263321cfa2c0101820246d79cb (diff)
download	dnsmasq-9d1b22aac29cfe0d820e6f49fa089a5a67d1b2ec.tar.gz