Permalink
Browse files

NSEC3 and related RRSIGS are not part of the dnstree

  • Loading branch information...
1 parent 915b3b5 commit b17799a96bacb782b31b7255726cc1a6a5b3c840 @mind04 mind04 committed with mind04 Mar 12, 2015
View
@@ -1177,12 +1177,10 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
weDone = weRedirected = weHaveUnauth = false;
while(B.get(rr)) {
- if (p->qtype.getCode() == QType::ANY) {
- if (rr.qtype.getCode() == QType::RRSIG) // RRSIGS are added later any way.
- continue; // TODO: this actually means addRRSig should check if the RRSig is already there.
- if (!p->d_dnssecOk && (rr.qtype.getCode() == QType:: DNSKEY || rr.qtype.getCode() == QType::NSEC3PARAM))
- continue; // Don't send dnssec info to non validating resolvers.
- }
+ if (p->qtype.getCode() == QType::ANY && !p->d_dnssecOk && (rr.qtype.getCode() == QType:: DNSKEY || rr.qtype.getCode() == QType::NSEC3PARAM))
+ continue; // Don't send dnssec info to non validating resolvers.
+ if (rr.qtype.getCode() == QType::RRSIG) // RRSIGS are added later any way.
+ continue; // TODO: this actually means addRRSig should check if the RRSig is already there
// cerr<<"Auth: "<<rr.auth<<", "<<(rr.qtype == p->qtype)<<", "<<rr.qtype.getName()<<endl;
if((p->qtype.getCode() == QType::ANY || rr.qtype == p->qtype) && rr.auth)
@@ -0,0 +1,2 @@
+#!/bin/sh
+cleandig vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com A
@@ -0,0 +1 @@
+NSEC3 hashes are no part of the dns tree.
@@ -0,0 +1,3 @@
+1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.', qtype=A

0 comments on commit b17799a

Please sign in to comment.