mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 14:35:26 +00:00
Code Issues Releases Wiki Activity

Removed the restriction that answers under a security root must have SIG

Browse Source 
records in the answer, since they might be in an unsecure subdomain.
This commit is contained in:
Brian Wellington
2000-04-18 17:44:22 +00:00
parent eb5250f0bd
commit 605b13c0dc
1 changed files with 23 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
lib/dns/resolver.c
View File

@@ -2150,13 +2150,15 @@ validated(isc_task_t *task, isc_event_t *event) {
if (result != ISC_R_SUCCESS && if (result != ISC_R_SUCCESS &&
result != DNS_R_UNCHANGED) result != DNS_R_UNCHANGED)
goto cleanup; goto cleanup;
result = dns_db_addrdataset(fctx->res->view->cachedb, if (vevent->sigrdataset != NULL) {
node, NULL, now, result = dns_db_addrdataset(fctx->res->view->cachedb,
vevent->sigrdataset, 0, node, NULL, now,
asigrdataset); vevent->sigrdataset, 0,
if (result != ISC_R_SUCCESS && asigrdataset);
result != DNS_R_UNCHANGED) if (result != ISC_R_SUCCESS &&
goto cleanup; result != DNS_R_UNCHANGED)
goto cleanup;
}
fctx->attributes |= FCTX_ATTR_HAVEANSWER; fctx->attributes |= FCTX_ATTR_HAVEANSWER;
if (hevent != NULL) { if (hevent != NULL) {
@@ -2289,15 +2291,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) {
break; break;
} }
if (sigrdataset == NULL) { if (sigrdataset == NULL) {
if (ANSWER(rdataset)) { if (!ANSWER(rdataset)) {
/*
* The peer is broken.
*/
FCTXTRACE("DNSSEC response "
"missing SIG");
result = DNS_R_FORMERR;
break;
} else {
/* /*
* Ignore non-answer rdatasets that * Ignore non-answer rdatasets that
* are missing signatures. * are missing signatures.
@@ -2311,22 +2305,27 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) {
* pending data. * pending data.
*/ */
#ifdef notyet #ifdef notyet
set_ttl(rdataset, sigrdataset); if (sigrdataset != NULL)
set_ttl(rdataset, sigrdataset);
#endif #endif
rdataset->trust = dns_trust_pending; rdataset->trust = dns_trust_pending;
sigrdataset->trust = dns_trust_pending; if (sigrdataset != NULL)
sigrdataset->trust = dns_trust_pending;
result = dns_db_addrdataset(res->view->cachedb, result = dns_db_addrdataset(res->view->cachedb,
node, NULL, now, node, NULL, now,
rdataset, 0, NULL); rdataset, 0, NULL);
if (result != ISC_R_SUCCESS && if (result != ISC_R_SUCCESS &&
result != DNS_R_UNCHANGED) result != DNS_R_UNCHANGED)
break; break;
result = dns_db_addrdataset(res->view->cachedb, if (sigrdataset != NULL) {
node, NULL, now, result = dns_db_addrdataset(res->view->cachedb,
sigrdataset, 0, NULL); node, NULL, now,
if (result != ISC_R_SUCCESS && sigrdataset, 0,
result != DNS_R_UNCHANGED) NULL);
break; if (result != ISC_R_SUCCESS &&
result != DNS_R_UNCHANGED)
break;
}
if (ANSWER(rdataset)) { if (ANSWER(rdataset)) {
/* /*
* XXXRTH We should probably do this * XXXRTH We should probably do this