summaryrefslogtreecommitdiffstats
path: root/src/resolve/resolved-dns-dnssec.h
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2016-01-05 01:35:28 +0100
committerLennart Poettering <lennart@poettering.net>2016-01-05 01:35:28 +0100
commitd3760be01b120df8980c056ecc85a4229d660264 (patch)
treeca9c2938ae603d2438e8c65a5c0c2885f0a8e3e7 /src/resolve/resolved-dns-dnssec.h
parentman: add basic documentation for resolved.conf's DNSSEC= switch (diff)
downloadsystemd-d3760be01b120df8980c056ecc85a4229d660264.tar.xz
systemd-d3760be01b120df8980c056ecc85a4229d660264.zip
resolved: when caching negative responses, honour NSEC/NSEC3 TTLs
When storing negative responses, clamp the SOA minimum TTL (as suggested by RFC2308) to the TTL of the NSEC/NSEC3 RRs we used to prove non-existance, if it there is any. This is necessary since otherwise an attacker might put together a faked negative response for one of our question including a high-ttl SOA RR for any parent zone, and we'd use trust the TTL.
Diffstat (limited to 'src/resolve/resolved-dns-dnssec.h')
-rw-r--r--src/resolve/resolved-dns-dnssec.h2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/resolve/resolved-dns-dnssec.h b/src/resolve/resolved-dns-dnssec.h
index df377c8016..94d0b23f80 100644
--- a/src/resolve/resolved-dns-dnssec.h
+++ b/src/resolve/resolved-dns-dnssec.h
@@ -99,7 +99,7 @@ typedef enum DnssecNsecResult {
DNSSEC_NSEC_OPTOUT,
} DnssecNsecResult;
-int dnssec_test_nsec(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *result, bool *authenticated);
+int dnssec_test_nsec(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *result, bool *authenticated, uint32_t *ttl);
const char* dnssec_mode_to_string(DnssecMode m) _const_;
DnssecMode dnssec_mode_from_string(const char *s) _pure_;