Inhibit DNSSEC validation when forwarding to private servers for a domain.

server=/example.com/<ip-of-server> The rationale is that the chain-of-trust will not be complete to private servers. If it was, it would not be necessary to access the server direct.

Inhibit DNSSEC validation when forwarding to private servers for a domain.
server=/example.com/<ip-of-server> The rationale is that the chain-of-trust will not be complete to private servers. If it was, it would not be necessary to access the server direct.
5757371d · Simon Kelley · b633de94 · 5757371d
Commit 5757371d authored Jan 11, 2016 by Simon Kelley
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 2 deletions

src/forward.c src/forward.c +3 -2

No files found.
--- a/src/forward.c
+++ b/src/forward.c
@@ -406,7 +406,7 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
 	}
      
 #ifdef HAVE_DNSSEC
-      if (option_bool(OPT_DNSSEC_VALID))
+      if (option_bool(OPT_DNSSEC_VALID) && !(type & SERV_HAS_DOMAIN))
 	{
 	  size_t new = add_do_bit(header, plen, ((unsigned char *) header) + PACKETSZ);
 	 
@@ -858,7 +858,8 @@ void reply_query(int fd, int family, time_t now)
 	no_cache_dnssec = 1;
      
 #ifdef HAVE_DNSSEC
-      if (server && option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED))
+      if (server && !(server->flags & SERV_HAS_DOMAIN) && 
+	  option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED))
 	{
 	  int status = 0;