picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

resolved: never authenticate RRsets with revoked keys

This commit is contained in:
Lennart Poettering 2016-01-03 17:56:50 +01:00
parent 1d3db294fc
commit 28b8191e2f
2 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/resolve/resolved-dns-dnssec.c
View File

@ -671,6 +671,8 @@ int dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnske
return 0;
if ((dnskey->dnskey.flags & DNSKEY_FLAG_ZONE_KEY) == 0)
return 0;
if ((dnskey->dnskey.flags & DNSKEY_FLAG_REVOKE))
return 0;
if (dnskey->dnskey.protocol != 3)
return 0;
if (dnskey->dnskey.algorithm != rrsig->rrsig.algorithm)

3
src/resolve/resolved-dns-rr.h
View File

@ -34,8 +34,9 @@ typedef struct DnsResourceRecord DnsResourceRecord;
typedef struct DnsTxtItem DnsTxtItem;
/* DNSKEY RR flags */
#define DNSKEY_FLAG_ZONE_KEY (UINT16_C(1) << 8)
#define DNSKEY_FLAG_SEP (UINT16_C(1) << 0)
#define DNSKEY_FLAG_REVOKE (UINT16_C(1) << 7)
#define DNSKEY_FLAG_ZONE_KEY (UINT16_C(1) << 8)
/* mDNS RR flags */
#define MDNS_RR_CACHE_FLUSH (UINT16_C(1) << 15)