diff options
author | Lennart Poettering <lennart@poettering.net> | 2016-01-05 01:35:28 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2016-01-05 01:35:28 +0100 |
commit | d3760be01b120df8980c056ecc85a4229d660264 (patch) | |
tree | ca9c2938ae603d2438e8c65a5c0c2885f0a8e3e7 /src/resolve/resolved-dns-dnssec.h | |
parent | man: add basic documentation for resolved.conf's DNSSEC= switch (diff) | |
download | systemd-d3760be01b120df8980c056ecc85a4229d660264.tar.xz systemd-d3760be01b120df8980c056ecc85a4229d660264.zip |
resolved: when caching negative responses, honour NSEC/NSEC3 TTLs
When storing negative responses, clamp the SOA minimum TTL (as suggested
by RFC2308) to the TTL of the NSEC/NSEC3 RRs we used to prove
non-existance, if it there is any.
This is necessary since otherwise an attacker might put together a faked
negative response for one of our question including a high-ttl SOA RR
for any parent zone, and we'd use trust the TTL.
Diffstat (limited to 'src/resolve/resolved-dns-dnssec.h')
-rw-r--r-- | src/resolve/resolved-dns-dnssec.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/resolve/resolved-dns-dnssec.h b/src/resolve/resolved-dns-dnssec.h index df377c8016..94d0b23f80 100644 --- a/src/resolve/resolved-dns-dnssec.h +++ b/src/resolve/resolved-dns-dnssec.h @@ -99,7 +99,7 @@ typedef enum DnssecNsecResult { DNSSEC_NSEC_OPTOUT, } DnssecNsecResult; -int dnssec_test_nsec(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *result, bool *authenticated); +int dnssec_test_nsec(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *result, bool *authenticated, uint32_t *ttl); const char* dnssec_mode_to_string(DnssecMode m) _const_; DnssecMode dnssec_mode_from_string(const char *s) _pure_; |