Enforce DNSSEC for checkpoint updates

monero-project · Mar 24, 2015 · e6740ee · e6740ee
1 parent dbf46a7
commit e6740ee
Showing 1 changed file with 17 additions and 10 deletions.
diff --git a/src/cryptonote_core/checkpoints_create.cpp b/src/cryptonote_core/checkpoints_create.cpp
@@ -138,35 +138,42 @@ bool load_checkpoints_from_dns(cryptonote::checkpoints& checkpoints, bool testne
   size_t cur_index = first_index;
   do
   {
+    std::string url;
     if (testnet)
     {
-      records = tools::DNSResolver::instance().get_txt_record(testnet_dns_urls[cur_index], avail, valid);
+      url = testnet_dns_urls[cur_index];
     }
     else
     {
-      records = tools::DNSResolver::instance().get_txt_record(dns_urls[cur_index], avail, valid);
+      url = dns_urls[cur_index];
     }
-    if (records.size() == 0 || (avail && !valid))
+
+    records = tools::DNSResolver::instance().get_txt_record(url, avail, valid);
+    if (!avail)
+    {
+      LOG_PRINT_L2("DNSSEC not available for checkpoint update at URL: " << url << ", skipping.");
+    }
+    if (!valid)
+    {
+      LOG_PRINT_L2("DNSSEC validation failed for checkpoint update at URL: " << url << ", skipping.");
+    }
+
+    if (records.size() == 0 || !avail || !valid)
     {
       cur_index++;
       if (cur_index == dns_urls.size())
       {
 	cur_index = 0;
       }
+      records.clear();
       continue;
     }
     break;
   } while (cur_index != first_index);
 
   if (records.size() == 0)
   {
-    LOG_PRINT_L1("Fetching MoneroPulse checkpoints failed, no TXT records available.");
-    return true;
-  }
-
-  if (avail && !valid)
-  {
-    LOG_PRINT_L0("WARNING: MoneroPulse failed DNSSEC validation and/or returned no records");
+    LOG_PRINT_L0("WARNING: All MoneroPulse checkpoint URLs failed DNSSEC validation and/or returned no records");
     return true;
   }