Handle SERVFAIL replies when looking for proven-nonexistence of DS.

4872aa74 · Simon Kelley · 50f86ce8 · 4872aa74
Commit 4872aa74 authored Apr 26, 2014 by Simon Kelley
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 7 deletions

src/forward.c src/forward.c +14 -7

No files found.
--- a/src/forward.c
+++ b/src/forward.c
@@ -1347,13 +1347,20 @@ static int do_check_sign(time_t now, struct dns_header *header, size_t plen, cha
 { 
  char *name_start;
  unsigned char *p;
-  int status = dnssec_validate_ds(now, header, plen, name, keyname, class);
+  int status;
-  if (status != STAT_INSECURE)
+  /* In this case only, a SERVFAIL reply allows us to continue up the tree, looking for a 
-    {
+     suitable NSEC reply to DS queries. */
-      if (status == STAT_NO_DS)
+  if (RCODE(header) != SERVFAIL)
-	status = STAT_INSECURE;
+    { 
-      return status;
+      status = dnssec_validate_ds(now, header, plen, name, keyname, class);
+      if (status != STAT_INSECURE)
+	{
+	  if (status == STAT_NO_DS)
+	    status = STAT_INSECURE;
+	  return status;
+	}
    }
  p = (unsigned char *)(header+1);