diff options
-rw-r--r-- | CHANGELOG | 3 | ||||
-rw-r--r-- | src/cache.c | 4 | ||||
-rw-r--r-- | src/dnsmasq.h | 1 | ||||
-rw-r--r-- | src/rfc1035.c | 7 |
4 files changed, 12 insertions, 3 deletions
@@ -31,6 +31,9 @@ version 2.72 --conf-dir=/etc/dnsmasq.d,\*.conf will load all the files in /etc/dnsmasq.d which end in .conf + Fix bug when resulted in NXDOMAIN answers instead of NODATA in + some circumstances. + version 2.71 Subtle change to error handling to help DNSSEC validation diff --git a/src/cache.c b/src/cache.c index 5cec918..2c3a498 100644 --- a/src/cache.c +++ b/src/cache.c @@ -636,7 +636,7 @@ struct crec *cache_find_by_name(struct crec *crecp, char *name, time_t now, unsi { if ((crecp->flags & F_FORWARD) && #ifdef HAVE_DNSSEC - ((crecp->flags & (F_DNSKEY | F_DS)) == (prot & (F_DNSKEY | F_DS))) && + (((crecp->flags & (F_DNSKEY | F_DS)) == (prot & (F_DNSKEY | F_DS))) || (prot & F_NSIGMATCH)) && #endif (crecp->flags & prot) && hostname_isequal(cache_get_name(crecp), name)) @@ -696,7 +696,7 @@ struct crec *cache_find_by_name(struct crec *crecp, char *name, time_t now, unsi if (ans && (ans->flags & F_FORWARD) && #ifdef HAVE_DNSSEC - ((ans->flags & (F_DNSKEY | F_DS)) == (prot & (F_DNSKEY | F_DS))) && + (((ans->flags & (F_DNSKEY | F_DS)) == (prot & (F_DNSKEY | F_DS))) || (prot & F_NSIGMATCH)) && #endif (ans->flags & prot) && hostname_isequal(cache_get_name(ans), name)) diff --git a/src/dnsmasq.h b/src/dnsmasq.h index a1ac1d1..e74b15a 100644 --- a/src/dnsmasq.h +++ b/src/dnsmasq.h @@ -440,6 +440,7 @@ struct crec { #define F_SECSTAT (1u<<24) #define F_NO_RR (1u<<25) #define F_IPSET (1u<<26) +#define F_NSIGMATCH (1u<<27) /* Values of uid in crecs with F_CONFIG bit set. */ #define SRC_INTERFACE 0 diff --git a/src/rfc1035.c b/src/rfc1035.c index 25ac167..8a7d260 100644 --- a/src/rfc1035.c +++ b/src/rfc1035.c @@ -1246,7 +1246,12 @@ int check_for_local_domain(char *name, time_t now) struct ptr_record *ptr; struct naptr *naptr; - if ((crecp = cache_find_by_name(NULL, name, now, F_IPV4 | F_IPV6 | F_CNAME | F_DS | F_NO_RR)) && + /* Note: the call to cache_find_by_name is intended to find any record which matches + ie A, AAAA, CNAME, DS. Because RRSIG records are marked by setting both F_DS and F_DNSKEY, + cache_find_by name ordinarily only returns records with an exact match on those bits (ie + for the call below, only DS records). The F_NSIGMATCH bit changes this behaviour */ + + if ((crecp = cache_find_by_name(NULL, name, now, F_IPV4 | F_IPV6 | F_CNAME | F_DS | F_NO_RR | F_NSIGMATCH)) && (crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG))) return 1; |