Google Git
Sign in
gfiber / vendor / opensource / dnsmasq / f01d7be6c647cc41f4911cdedadf739e24b08f28^! / .
commitf01d7be6c647cc41f4911cdedadf739e24b08f28[log] [tgz]
authorSimon Kelley <simon@thekelleys.org.uk>Mon Feb 24 20:20:00 2014 +0000
committerSimon Kelley <simon@thekelleys.org.uk>Mon Feb 24 20:20:00 2014 +0000
treedc5b01e78c357d73f96fa29a4063e0554eb6e688
parentd387380a250843e1790d6d3d9e2d0464afd3bf87 [diff]
An NSEC record cannot attest to its own non-existance!

diff --git a/src/dnssec.c b/src/dnssec.c
index 12d8ac3..7c09d0d 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c

@@ -860,7 +860,7 @@
   GETSHORT(qclass, p);
   
   if (qtype != T_DNSKEY || qclass != class || ntohs(header->ancount) == 0)
-    return STAT_INSECURE;
+    return STAT_BOGUS;
 
    /* See if we have cached a DS record which validates this key */
   if (!(crecp = cache_find_by_name(NULL, name, now, F_DS)))
@@ -894,7 +894,7 @@
       
       GETSHORT(flags, p);
       if (*p++ != 3)
-	return STAT_INSECURE;
+	return STAT_BOGUS;
       algo = *p++;
       keytag = dnskey_keytag(algo, flags, p, rdlen - 4);
       key = NULL;
@@ -984,7 +984,7 @@
 		  
 		  GETSHORT(flags, p);
 		  if (*p++ != 3)
-		    return STAT_INSECURE;
+		    return STAT_BOGUS;
 		  algo = *p++;
 		  keytag = dnskey_keytag(algo, flags, p, rdlen - 4);
 		  
@@ -1080,7 +1080,7 @@
   GETSHORT(qclass, p);
 
   if (qtype != T_DS || qclass != class || ntohs(header->ancount) == 0)
-    return STAT_INSECURE;
+    return STAT_BOGUS;
   
   val = dnssec_validate_reply(now, header, plen, name, keyname, NULL);
   
@@ -1255,6 +1255,10 @@
       
       if (rc == 0)
 	{
+	  /* 4035 para 5.4. Last sentence */
+	  if (type == T_NSEC || type == T_RRSIG)
+	    return STAT_SECURE;
+
 	  /* NSEC with the same name as the RR we're testing, check
 	     that the type in question doesn't appear in the type map */
 	  rdlen -= p - psave;