diff options
author | Simon Kelley <simon@thekelleys.org.uk> | 2014-04-26 22:13:31 +0100 |
---|---|---|
committer | Simon Kelley <simon@thekelleys.org.uk> | 2014-04-26 22:13:31 +0100 |
commit | 4872aa747b24238c0859166eaae0ae3d89364244 (patch) | |
tree | 3b5adb72a99bcc3e38cad51b8fbed825672f79a5 | |
parent | 50f86ce8e42a1f93bb1fa759ebb883df96c5b078 (diff) | |
download | dnsmasq-4872aa747b24238c0859166eaae0ae3d89364244.tar.gz |
Handle SERVFAIL replies when looking for proven-nonexistence of DS.
-rw-r--r-- | src/forward.c | 21 |
1 files changed, 14 insertions, 7 deletions
diff --git a/src/forward.c b/src/forward.c index 0079075..941f80d 100644 --- a/src/forward.c +++ b/src/forward.c @@ -1347,13 +1347,20 @@ static int do_check_sign(time_t now, struct dns_header *header, size_t plen, cha { char *name_start; unsigned char *p; - int status = dnssec_validate_ds(now, header, plen, name, keyname, class); - - if (status != STAT_INSECURE) - { - if (status == STAT_NO_DS) - status = STAT_INSECURE; - return status; + int status; + + /* In this case only, a SERVFAIL reply allows us to continue up the tree, looking for a + suitable NSEC reply to DS queries. */ + if (RCODE(header) != SERVFAIL) + { + status = dnssec_validate_ds(now, header, plen, name, keyname, class); + + if (status != STAT_INSECURE) + { + if (status == STAT_NO_DS) + status = STAT_INSECURE; + return status; + } } p = (unsigned char *)(header+1); |