mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 22:45:39 +00:00
Code Issues Releases Wiki Activity

Removed the restriction that answers under a security root must have SIG

Browse Source 
records in the answer, since they might be in an unsecure subdomain.
This commit is contained in:
Brian Wellington
2000-04-18 17:44:22 +00:00
parent eb5250f0bd
commit 605b13c0dc
1 changed files with 23 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
lib/dns/resolver.c
View File

@@ -2150,6 +2150,7 @@ validated(isc_task_t *task, isc_event_t *event) {
if (result != ISC_R_SUCCESS && if (result != ISC_R_SUCCESS &&
result != DNS_R_UNCHANGED) result != DNS_R_UNCHANGED)
goto cleanup; goto cleanup;
if (vevent->sigrdataset != NULL) {
result = dns_db_addrdataset(fctx->res->view->cachedb, result = dns_db_addrdataset(fctx->res->view->cachedb,
node, NULL, now, node, NULL, now,
vevent->sigrdataset, 0, vevent->sigrdataset, 0,
@@ -2157,6 +2158,7 @@ validated(isc_task_t *task, isc_event_t *event) {
if (result != ISC_R_SUCCESS && if (result != ISC_R_SUCCESS &&
result != DNS_R_UNCHANGED) result != DNS_R_UNCHANGED)
goto cleanup; goto cleanup;
}
fctx->attributes |= FCTX_ATTR_HAVEANSWER; fctx->attributes |= FCTX_ATTR_HAVEANSWER;
if (hevent != NULL) { if (hevent != NULL) {
@@ -2289,15 +2291,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) {
break; break;
} }
if (sigrdataset == NULL) { if (sigrdataset == NULL) {
if (ANSWER(rdataset)) { if (!ANSWER(rdataset)) {
/*
* The peer is broken.
*/
FCTXTRACE("DNSSEC response "
"missing SIG");
result = DNS_R_FORMERR;
break;
} else {
/* /*
* Ignore non-answer rdatasets that * Ignore non-answer rdatasets that
* are missing signatures. * are missing signatures.
@@ -2311,9 +2305,11 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) {
* pending data. * pending data.
*/ */
#ifdef notyet #ifdef notyet
if (sigrdataset != NULL)
set_ttl(rdataset, sigrdataset); set_ttl(rdataset, sigrdataset);
#endif #endif
rdataset->trust = dns_trust_pending; rdataset->trust = dns_trust_pending;
if (sigrdataset != NULL)
sigrdataset->trust = dns_trust_pending; sigrdataset->trust = dns_trust_pending;
result = dns_db_addrdataset(res->view->cachedb, result = dns_db_addrdataset(res->view->cachedb,
node, NULL, now, node, NULL, now,
@@ -2321,12 +2317,15 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) {
if (result != ISC_R_SUCCESS && if (result != ISC_R_SUCCESS &&
result != DNS_R_UNCHANGED) result != DNS_R_UNCHANGED)
break; break;
if (sigrdataset != NULL) {
result = dns_db_addrdataset(res->view->cachedb, result = dns_db_addrdataset(res->view->cachedb,
node, NULL, now, node, NULL, now,
sigrdataset, 0, NULL); sigrdataset, 0,
NULL);
if (result != ISC_R_SUCCESS && if (result != ISC_R_SUCCESS &&
result != DNS_R_UNCHANGED) result != DNS_R_UNCHANGED)
break; break;
}
if (ANSWER(rdataset)) { if (ANSWER(rdataset)) {
/* /*
* XXXRTH We should probably do this * XXXRTH We should probably do this