Fix DNSSEC without dnssec-check-unsigned.

An oversight meant that non-existance checking was being done anyway. (Should probably alter the default for this.)

Fix DNSSEC without dnssec-check-unsigned.
An oversight meant that non-existance checking was being done anyway. (Should probably alter the default for this.)
4e72fec6 · Simon Kelley · 4441cf76 · 4e72fec6
Commit 4e72fec6 authored Apr 11, 2018 by Simon Kelley
Show whitespace changes
Inline Side-by-side

Showing with 31 additions and 30 deletions

src/dnssec.c src/dnssec.c +31 -30

No files found.
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -872,7 +872,7 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
  if (qtype != T_DS || qclass != class)
    rc = STAT_BOGUS;
  else
-    rc = dnssec_validate_reply(now, header, plen, name, keyname, NULL, 0, &neganswer, &nons);
+    rc = dnssec_validate_reply(now, header, plen, name, keyname, NULL, 1, &neganswer, &nons);
  if (rc == STAT_INSECURE)
    rc = STAT_BOGUS;
@@ -1966,6 +1966,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
    }
  /* OK, all the RRsets validate, now see if we have a missing answer or CNAME target. */
+  if (check_unsigned)
    for (j = 0; j <targetidx; j++)
      if ((p2 = targets[j]))
 	{