1947. [func] It is now possible to configure named to accept

expired RRSIGs. Default "dnssec-accept-expired no;". Setting "dnssec-accept-expired yes;" leaves named vulnerable to replay attacks. [RT #14685]
2025-09-05 00:55:24 +00:00 · 2006-01-04 02:35:49 +00:00
parent 35da39a7f1
commit fabf2ee6b0
10 changed files with 66 additions and 19 deletions
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: server.c,v 1.451 2005/11/30 03:33:48 marka Exp $ */
+/* $Id: server.c,v 1.452 2006/01/04 02:35:49 marka Exp $ */

 /*! \file */

@@ -1395,6 +1395,11 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 	INSIST(result == ISC_R_SUCCESS);
 	view->enablednssec = cfg_obj_asboolean(obj);

+	obj = NULL;
+	result = ns_config_get(maps, "dnssec-accept-expired", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->acceptexpired = cfg_obj_asboolean(obj);
+
 	obj = NULL;
 	result = ns_config_get(maps, "dnssec-lookaside", &obj);
 	if (result == ISC_R_SUCCESS) {