Fix DNSSEC validation of ANY queries.

9d1b22aa · Simon Kelley · 1fc02680 · 9d1b22aa · 9d1b22aa
Commit 9d1b22aa authored Apr 29, 2014 by Simon Kelley
Hide whitespace changes
Inline Side-by-side

Showing with 17 additions and 0 deletions

CHANGELOG CHANGELOG +14 -0

src/dnssec.c src/dnssec.c +3 -0

No files found.
--- a/CHANGELOG
+++ b/CHANGELOG
+version 2.71
+            Subtle change to error handling to help DNSSEC validation 
+	    when servers fail to provide NODATA answers for 
+	    non-existent DS records.
+
+	    Tweak code which removes DNSSEC records from answers when
+	    not required. Fixes broken answers when additional section
+	    has real records in it. Thanks to Marco Davids for the bug 
+	    report.
+
+	    Fix DNSSEC validation of ANY queries. Thanks to Marco Davids
+	    for spotting that too.
+
+
 version 2.70
            Fix crash, introduced in 2.69, on TCP request when dnsmasq
 	    compiled with DNSSEC support, but running without DNSSEC

--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -1682,6 +1682,9 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
  GETSHORT(qtype, p1);
  GETSHORT(qclass, p1);
  ans_start = p1;
+
+  if (qtype == T_ANY)
+    have_answer = 1;
 
  /* Can't validate an RRISG query */
  if (qtype == T_RRSIG)