Only validate NOERROR & NXDOMAIN

2015-07-02 12:59:28 +02:00 · 2015-07-02 12:59:28 +02:00 · ae580575d0
parent e3fe89c802
commit ae580575d0
1 changed files with 10 additions and 1 deletions
--- a/src/dnssec.c
+++ b/src/dnssec.c
@ -1840,6 +1840,16 @@ void priv_getdns_get_validation_chain(getdns_dns_req *dnsreq)
 	chain_head *chain = NULL;

 	for (netreq_p = dnsreq->netreqs; (netreq = *netreq_p) ; netreq_p++) {
+		if (!  netreq->response
+		    || netreq->response_len < GLDNS_HEADER_SIZE
+		    || ( GLDNS_RCODE_WIRE(netreq->response)
+			 != GETDNS_RCODE_NOERROR &&
+			 GLDNS_RCODE_WIRE(netreq->response)
+			 != GETDNS_RCODE_NXDOMAIN) ) {
+
+			netreq->dnssec_status = GETDNS_DNSSEC_INSECURE;
+			continue;
+		}
 		add_pkt2val_chain( &dnsreq->my_mf, &chain
 		                 , netreq->response, netreq->response_len
 				 , netreq
@ -1852,7 +1862,6 @@ void priv_getdns_get_validation_chain(getdns_dns_req *dnsreq)
 				      , netreq
 		                      );
 	}
-
 	if (chain)
 		check_chain_complete(chain);
 	else