Commit Diff
Diff:
a37b21ae24e0343f538f1f3439d4d67838a13b3b
1af8b3d18b647dadccbf700de0c1cf22ad5c771e
Commit:
1af8b3d18b647dadccbf700de0c1cf22ad5c771e
Tree:
d0e2b8a9c27b44f6ddb41fc90daff90e5fe30009
Author:
pjp <pjp@delphinusdns.org>
Committer:
pjp <pjp@delphinusdns.org>
Date:
Wed Jul 8 17:33:28 2020 UTC
Message:
in caching forwarding mode when we reply_*() check for the q->aa flag when RRSIG's fail and return -1 if so. The cache will then expire the record and ask again with DO bit set. this makes non-caching mode work again caching still needs more thought/trial
blob - 22c0019e1c39867ebf759a7997e37c0c2261c6e3
blob + 9de010d1bbff020d9e21278e2c74e6475b2acf24
--- cache.c
+++ cache.c
@@ -27,7 +27,7 @@
*/
/*
- * $Id: cache.c,v 1.1 2020/07/08 12:29:02 pjp Exp $
+ * $Id: cache.c,v 1.2 2020/07/08 17:33:28 pjp Exp $
*/
#include <sys/types.h>
@@ -201,7 +201,7 @@ cacheit(u_char *payload, u_char *estart, u_char *end,
char expand[DNS_MAXNAME + 1];
int elen, i, x;
int rlen = (end - estart);
- u_char *pb, *p = (char *)&dh[1];
+ u_char *pb, *p = payload;
uint16_t rrtype;
uint16_t rdlen;
@@ -209,6 +209,7 @@ cacheit(u_char *payload, u_char *estart, u_char *end,
struct cache_logic *cr;
+ p += sizeof(struct dns_header); /* skip dns_header */
elen = 0,
memset(&expand, 0, sizeof(expand));
@@ -236,7 +237,7 @@ cacheit(u_char *payload, u_char *estart, u_char *end,
pb += 4; /* skip type and class */
- for (x = 0; x < ntohs(dh->answer) + ntohs(dh->additional); x++) {
+ for (x = 0; x < ntohs(dh->answer); x++) {
elen = 0;
memset(&expand, 0, sizeof(expand));
pb = expand_compression(pb, estart, end, (u_char *)&expand, &elen, sizeof(expand));
@@ -259,6 +260,7 @@ cacheit(u_char *payload, u_char *estart, u_char *end,
}
rrtype = ntohs(unpack16(pb));
+ /* class in here not parsed */
rrttl = ntohl(unpack32(pb + 4));
rdlen = ntohs(unpack16(pb + 8));
blob - 4d8c5e0e4e9afc5fa9558e2d073b724c4781907f
blob + 6c9829c235ecb3bf983342250bb74cc0f1a5e105
--- forward.c
+++ forward.c
@@ -27,7 +27,7 @@
*/
/*
- * $Id: forward.c,v 1.15 2020/07/08 12:29:02 pjp Exp $
+ * $Id: forward.c,v 1.16 2020/07/08 17:33:28 pjp Exp $
*/
#include <sys/types.h>
@@ -126,6 +126,7 @@ struct forwardqueue {
struct fwdpq {
int rc;
+ int istcp;
int cache;
int tsigcheck;
struct tsig tsig;
@@ -435,6 +436,8 @@ drop:
SLIST_REMOVE(&fwqhead, fwq1, forwardqueue, entries);
close(fwq1->so);
+ fwq1->so = -1;
+
if (fwq1->returnso != -1)
close(fwq2->returnso);
@@ -518,7 +521,14 @@ forwardthis(ddDB *db, struct cfg *cfg, int so, struct
time_t now;
char *p;
socklen_t namelen;
+ time_t highexpire;
+#if __OpenBSD__
+ highexpire = 67768036191673199;
+#else
+ highexpire = 2147483647;
+#endif
+
if (replybuf == NULL) {
replybuf = calloc(1, 0xffff + 2);
if (replybuf == NULL) {
@@ -535,9 +545,13 @@ forwardthis(ddDB *db, struct cfg *cfg, int so, struct
SLIST_FOREACH_SAFE(fwq1, &fwqhead, entries, fwq2) {
if (difftime(now, fwq1->time) > 15) {
SLIST_REMOVE(&fwqhead, fwq1, forwardqueue, entries);
- if (fwq1->returnso != -1)
+ if (fwq1->returnso != -1) {
close(fwq1->returnso);
- close(fwq1->so);
+ fwq1->returnso = -1;
+ }
+ if (fwq1->so != -1)
+ close(fwq1->so);
+
if (fwq1->tsigkey)
free(fwq1->tsigkey);
free(fwq1);
@@ -657,12 +671,24 @@ forwardthis(ddDB *db, struct cfg *cfg, int so, struct
if (rl->rrtype == ntohs(q->hdr->qtype)) {
slen = (*rl->reply)(&sreply, cfg->db);
if (slen < 0) {
+ /*
+ * we may have a non-dnssec answer cached without RRSIG
+ * at this point the rl->reply will fail.. expire it
+ * and fill it with dnssec data if available
+ */
+ if (q->dnssecok == 1) {
+ expire_rr(db, q->hdr->name, q->hdr->namelen,
+ ntohs(q->hdr->qtype), highexpire);
+ free_question(q);
+ goto newqueue;
+ }
dolog(LOG_INFO, "reply failed\n");
}
break;
} /* if rl->rrtype == */
}
+ free_question(q);
/* at this point we return everythign is done */
return;
}
@@ -881,12 +907,12 @@ sendit(struct forwardqueue *fwq, struct sforward *sfor
if (fwq->istcp == 1) {
pack16(buf, htons(len));
- if (send(fwq->so, buf, len + 2, 0) < 0) {
+ if (fwq->so != -1 && send(fwq->so, buf, len + 2, 0) < 0) {
dolog(LOG_INFO, "send() failed changing forwarder: %s\n", strerror(errno));
changeforwarder(fwq);
}
} else {
- if (send(fwq->so, buf, len, 0) < 0) {
+ if (fwq->so != -1 && send(fwq->so, buf, len, 0) < 0) {
dolog(LOG_INFO, "send() failed (udp) changing forwarder %s\n", strerror(errno));
changeforwarder(fwq);
}
@@ -934,7 +960,6 @@ returnit(ddDB *db, struct cfg *cfg, struct forwardqueu
if (fwq->istcp == 1) {
p = &buf[2];
- so = fwq->returnso;
len = 2;
} else {
p = buf;
@@ -987,7 +1012,14 @@ returnit(ddDB *db, struct cfg *cfg, struct forwardqueu
if (cache)
fwdpq->cache = 1;
+ else
+ fwdpq->cache = 0;
+ if (fwq->istcp)
+ fwdpq->istcp = 1;
+ else
+ fwdpq->istcp = 0;
+
if (imsg_compose(ibuf, IMSG_PARSE_MESSAGE, 0, 0, (fwq->istcp == 1) ? fwq->so : -1, fwdpq, fwq->istcp ? FWDPQHEADER : rlen + FWDPQHEADER) < 0) {
dolog(LOG_INFO, "imsg_compose: %s\n", strerror(errno));
free(fwdpq);
@@ -999,36 +1031,47 @@ returnit(ddDB *db, struct cfg *cfg, struct forwardqueu
FD_ZERO(&rset);
FD_SET(ibuf->fd, &rset);
- tv.tv_sec = 10;
+ tv.tv_sec = 4;
tv.tv_usec = 0;
sel = select(ibuf->fd + 1, &rset, NULL, NULL, &tv);
if (sel < 0) {
dolog(LOG_ERR, "returnit internal error around select, drop\n");
- free(fwdpq);
- return;
+ continue;
}
if (sel == 0) {
dolog(LOG_ERR, "returnit internal error around select (timeout), drop\n");
- free(fwdpq);
- return;
+ continue;
}
- if (((n = imsg_read(ibuf)) == -1 && errno != EAGAIN) || n == 0) {
- dolog(LOG_ERR, "returnit internal error around imsg_read, drop\n");
- free(fwdpq);
- return;
+ if (FD_ISSET(ibuf->fd, &rset)) {
+ if (((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)) {
+ dolog(LOG_ERR, "returnit internal error around imsg_read, drop\n");
+ continue;
+ }
+ if (n == 0) {
+ dolog(LOG_INFO, "imsg peer died? shutting down\n");
+ ddd_shutdown();
+ exit(1);
+ }
+
+ } else {
+ /* the ibuf has no selectable fd */
+ continue;
}
+
for (;;) {
if ((n = imsg_get(ibuf, &imsg)) == -1) {
dolog(LOG_ERR, "returnit internal error around imsg_get, drop\n");
- free(fwdpq);
- return;
+ break;
}
if (n == 0) {
+#if DEBUG
+ dolog(LOG_INFO, "n == 0, odd...\n");
+#endif
break;
}
@@ -1037,14 +1080,15 @@ returnit(ddDB *db, struct cfg *cfg, struct forwardqueu
case IMSG_PARSEREPLY_MESSAGE:
memcpy(fwdpq, imsg.data, datalen);
+ if (fwq->istcp == 1)
+ fwq->so = imsg.fd;
+
if (fwdpq->rc != PARSE_RETURN_ACK) {
dolog(LOG_ERR, "returnit parser did not ACK this (%d), drop\n", fwdpq->rc);
- free(fwdpq);
- return;
+ imsg_free(&imsg);
+ break;
}
- if (fwq->istcp == 1)
- fwq->so = imsg.fd;
imsg_free(&imsg);
goto endimsg;
@@ -1071,6 +1115,7 @@ returnit(ddDB *db, struct cfg *cfg, struct forwardqueu
ri.rrtype, (void *)rdata, ri.ttl)) == NULL) {
dolog(LOG_ERR, "returnit cache insertion failed 2\n");
imsg_free(&imsg);
+ free(rdata);
break;
}
@@ -1148,9 +1193,9 @@ endimsg:
if (fwq->istcp == 1) {
pack16(buf, htons(rlen));
- if (send(so, buf, len, 0) != len)
+ if (send(fwq->returnso, buf, len, 0) != len)
dolog(LOG_INFO, "send(): %s\n", strerror(errno));
- close(so); /* only close the tcp stream */
+ close(fwq->returnso); /* only close the tcp stream */
fwq->returnso = -1;
} else {
@@ -1618,7 +1663,6 @@ fwdparseloop(struct imsgbuf *ibuf)
exit(1);
}
- packet = &fwdpq->buf[0];
for (;;) {
FD_ZERO(&rset);
@@ -1663,6 +1707,10 @@ fwdparseloop(struct imsgbuf *ibuf)
}
memcpy(fwdpq, imsg.data, datalen);
+
+
+ istcp = fwdpq->istcp;
+
if (istcp) {
packet = malloc(fwdpq->buflen);
if (packet == NULL) {
@@ -1682,7 +1730,8 @@ fwdparseloop(struct imsgbuf *ibuf)
msgbuf_write(&ibuf->w);
break;
}
- }
+ } else
+ packet = (u_char *)&fwdpq->buf;
if (istcp) {
tmp = fwdpq->buflen;
@@ -1726,7 +1775,7 @@ fwdparseloop(struct imsgbuf *ibuf)
/* check for cache */
if (fwdpq->cache) {
estart = packet;
- rlen = fwdpq->buflen;
+ rlen = tmp;
end = &packet[rlen];
if (cacheit(packet, estart, end, ibuf, imsg.fd) < 0) {
@@ -1738,7 +1787,8 @@ skipcache:
/* check to see if we tsig */
if (fwdpq->tsigcheck) {
- stsig = check_tsig((char *)fwdpq->buf, fwdpq->buflen, fwdpq->mac);
+ rlen = tmp;
+ stsig = check_tsig((char *)packet, rlen, fwdpq->mac);
if (stsig == NULL) {
dolog(LOG_INFO, "FORWARD parser, malformed reply packet\n");
fwdpq->rc = PARSE_RETURN_MALFORMED;
blob - 6018104cb3cc57ad88b0fa9008026158505b166d
blob + 7821cab82ece55983f13b9584ac1957b31bad180
--- reply.c
+++ reply.c
@@ -27,7 +27,7 @@
*/
/*
- * $Id: reply.c,v 1.105 2020/07/08 12:29:02 pjp Exp $
+ * $Id: reply.c,v 1.106 2020/07/08 17:33:28 pjp Exp $
*/
#include <sys/types.h>
@@ -297,6 +297,10 @@ reply_a(struct sreply *sreply, ddDB *db)
tmplen = additional_rrsig(q->hdr->name, q->hdr->namelen, DNS_TYPE_A, rbt, reply, replysize, outlen, &retcount, q->aa);
if (tmplen == 0) {
+ /* we're forwarding and had no RRSIG return with -1 */
+ if (q->aa != 1)
+ return -1;
+
NTOHS(odh->query);
SET_DNS_TRUNCATION(odh);
HTONS(odh->query);
@@ -519,6 +523,10 @@ reply_nsec3param(struct sreply *sreply, ddDB *db)
tmplen = additional_rrsig(q->hdr->name, q->hdr->namelen, DNS_TYPE_NSEC3PARAM, rbt, reply, replysize, outlen, &retcount, q->aa);
if (tmplen == 0) {
+ /* we're forwarding and had no RRSIG return with -1 */
+ if (q->aa != 1)
+ return -1;
+
NTOHS(odh->query);
SET_DNS_TRUNCATION(odh);
HTONS(odh->query);
@@ -755,6 +763,10 @@ reply_nsec3(struct sreply *sreply, ddDB *db)
tmplen = additional_rrsig(q->hdr->name, q->hdr->namelen, DNS_TYPE_NSEC3, rbt, reply, replysize, outlen, &retcount, q->aa);
if (tmplen == 0) {
+ /* we're forwarding and had no RRSIG return with -1 */
+ if (q->aa != 1)
+ return -1;
+
NTOHS(odh->query);
SET_DNS_TRUNCATION(odh);
HTONS(odh->query);
@@ -959,6 +971,11 @@ reply_nsec(struct sreply *sreply, ddDB *db)
tmplen = additional_rrsig(q->hdr->name, q->hdr->namelen, DNS_TYPE_NSEC, rbt, reply, replysize, outlen, &retcount, q->aa);
if (tmplen == 0) {
+
+ /* we're forwarding and had no RRSIG return with -1 */
+ if (q->aa != 1)
+ return -1;
+
NTOHS(odh->query);
SET_DNS_TRUNCATION(odh);
HTONS(odh->query);
@@ -1164,6 +1181,11 @@ reply_ds(struct sreply *sreply, ddDB *db)
tmplen = additional_rrsig(q->hdr->name, q->hdr->namelen, DNS_TYPE_DS, rbt, reply, replysize, outlen, &retcount, q->aa);
if (tmplen == 0) {
+
+ /* we're forwarding and had no RRSIG return with -1 */
+ if (q->aa != 1)
+ return -1;
+
NTOHS(odh->query);
SET_DNS_TRUNCATION(odh);
HTONS(odh->query);
@@ -1372,6 +1394,11 @@ reply_dnskey(struct sreply *sreply, ddDB *db)
tmplen = additional_rrsig(q->hdr->name, q->hdr->namelen, DNS_TYPE_DNSKEY, rbt, reply, replysize, outlen, &rrsig_count, q->aa);
if (tmplen == 0) {
+
+ /* we're forwarding and had no RRSIG return with -1 */
+ if (q->aa != 1)
+ return -1;
+
NTOHS(odh->query);
SET_DNS_TRUNCATION(odh);
HTONS(odh->query);
@@ -1507,6 +1534,10 @@ reply_rrsig(struct sreply *sreply, ddDB *db)
tmplen = additional_rrsig(q->hdr->name, q->hdr->namelen, -1, rbt, reply, replysize, outlen, &a_count, q->aa);
if (tmplen == 0) {
+ /* we're forwarding and had no RRSIG return with -1 */
+ if (q->aa != 1)
+ return -1;
+
NTOHS(odh->query);
SET_DNS_TRUNCATION(odh);
HTONS(odh->query);
@@ -1685,6 +1716,11 @@ reply_aaaa(struct sreply *sreply, ddDB *db)
tmplen = additional_rrsig(q->hdr->name, q->hdr->namelen, DNS_TYPE_AAAA, rbt, reply, replysize, outlen, &retcount, q->aa);
if (tmplen == 0) {
+
+ /* we're forwarding and had no RRSIG return with -1 */
+ if (q->aa != 1)
+ return -1;
+
NTOHS(odh->query);
SET_DNS_TRUNCATION(odh);
HTONS(odh->query);
@@ -1917,6 +1953,11 @@ reply_mx(struct sreply *sreply, ddDB *db)
tmplen = additional_rrsig(q->hdr->name, q->hdr->namelen, DNS_TYPE_MX, rbt, reply, replysize, outlen, &retcount, q->aa);
if (tmplen == 0) {
+
+ /* we're forwarding and had no RRSIG return with -1 */
+ if (q->aa != 1)
+ return -1;
+
NTOHS(odh->query);
SET_DNS_TRUNCATION(odh);
HTONS(odh->query);
@@ -1967,6 +2008,10 @@ reply_mx(struct sreply *sreply, ddDB *db)
tmplen = additional_rrsig(ad0->name, ad0->namelen, DNS_TYPE_AAAA, rbt0, reply, replysize, outlen, &retcount, q->aa);
if (tmplen == 0) {
+ /* we're forwarding and had no RRSIG return with -1 */
+ if (q->aa != 1)
+ return -1;
+
NTOHS(odh->query);
SET_DNS_TRUNCATION(odh);
HTONS(odh->query);
@@ -2014,6 +2059,10 @@ reply_mx(struct sreply *sreply, ddDB *db)
tmplen = additional_rrsig(ad0->name, ad0->namelen, DNS_TYPE_A, rbt0, reply, replysize, outlen, &retcount, q->aa);
if (tmplen == 0) {
+ /* we're forwarding and had no RRSIG return with -1 */
+ if (q->aa != 1)
+ return -1;
+
NTOHS(odh->query);
SET_DNS_TRUNCATION(odh);
HTONS(odh->query);
@@ -2249,6 +2298,10 @@ reply_ns(struct sreply *sreply, ddDB *db)
tmplen = additional_rrsig(rbt1->zone, rbt1->zonelen, DNS_TYPE_NS, rbt1, reply, replysize, outlen, &retcount, q->aa);
if (tmplen == 0) {
+ /* we're forwarding and had no RRSIG return with -1 */
+ if (q->aa != 1)
+ return -1;
+
NTOHS(odh->query);
SET_DNS_TRUNCATION(odh);
HTONS(odh->query);
@@ -2279,6 +2332,10 @@ reply_ns(struct sreply *sreply, ddDB *db)
tmplen = additional_rrsig(rbt1->zone, rbt1->zonelen, DNS_TYPE_DS, rbt1, reply, replysize, outlen, &retcount, q->aa);
if (tmplen == 0) {
+ /* we're forwarding and had no RRSIG return with -1 */
+ if (q->aa != 1)
+ return -1;
+
NTOHS(odh->query);
SET_DNS_TRUNCATION(odh);
HTONS(odh->query);
@@ -2357,6 +2414,10 @@ reply_ns(struct sreply *sreply, ddDB *db)
tmplen = additional_rrsig(ad0->name, ad0->namelen, DNS_TYPE_AAAA, rbt0, reply, replysize, outlen, &retcount, q->aa);
if (tmplen == 0) {
+ /* we're forwarding and had no RRSIG return with -1 */
+ if (q->aa != 1)
+ return -1;
+
NTOHS(odh->query);
SET_DNS_TRUNCATION(odh);
HTONS(odh->query);
@@ -2405,6 +2466,10 @@ reply_ns(struct sreply *sreply, ddDB *db)
tmplen = additional_rrsig(ad0->name, ad0->namelen, DNS_TYPE_A, rbt0, reply, replysize, outlen, &retcount, q->aa);
if (tmplen == 0) {
+ /* we're forwarding and had no RRSIG return with -1 */
+ if (q->aa != 1)
+ return -1;
+
NTOHS(odh->query);
SET_DNS_TRUNCATION(odh);
HTONS(odh->query);
@@ -2622,6 +2687,10 @@ reply_cname(struct sreply *sreply, ddDB *db)
tmplen = additional_rrsig(q->hdr->name, q->hdr->namelen, DNS_TYPE_CNAME, rbt, reply, replysize, outlen, &retcount, q->aa);
if (tmplen == 0) {
+ /* we're forwarding and had no RRSIG return with -1 */
+ if (q->aa != 1)
+ return -1;
+
NTOHS(odh->query);
SET_DNS_TRUNCATION(odh);
HTONS(odh->query);
@@ -2655,6 +2724,10 @@ reply_cname(struct sreply *sreply, ddDB *db)
tmplen = additional_rrsig(((struct cname *)rrp->rdata)->cname, ((struct cname *)rrp->rdata)->cnamelen, DNS_TYPE_A, rbt1, reply, replysize, outlen, &retcount, q->aa);
if (tmplen == 0) {
+ /* we're forwarding and had no RRSIG return with -1 */
+ if (q->aa != 1)
+ return -1;
+
NTOHS(odh->query);
SET_DNS_TRUNCATION(odh);
HTONS(odh->query);
@@ -2687,6 +2760,10 @@ reply_cname(struct sreply *sreply, ddDB *db)
tmplen = additional_rrsig(((struct cname *)rrp->rdata)->cname, ((struct cname *)rrp->rdata)->cnamelen, DNS_TYPE_AAAA, rbt1, reply, replysize, outlen, &retcount, q->aa);
if (tmplen == 0) {
+ /* we're forwarding and had no RRSIG return with -1 */
+ if (q->aa != 1)
+ return -1;
+
NTOHS(odh->query);
SET_DNS_TRUNCATION(odh);
HTONS(odh->query);
@@ -2719,6 +2796,10 @@ reply_cname(struct sreply *sreply, ddDB *db)
tmplen = additional_rrsig(((struct cname *)rrp->rdata)->cname, ((struct cname *)rrp->rdata)->cnamelen, DNS_TYPE_MX, rbt1, reply, replysize, outlen, &retcount, q->aa);
if (tmplen == 0) {
+ /* we're forwarding and had no RRSIG return with -1 */
+ if (q->aa != 1)
+ return -1;
+
NTOHS(odh->query);
SET_DNS_TRUNCATION(odh);
HTONS(odh->query);
@@ -2751,6 +2832,10 @@ reply_cname(struct sreply *sreply, ddDB *db)
tmplen = additional_rrsig(((struct cname *)rrp->rdata)->cname, ((struct cname *)rrp->rdata)->cnamelen, DNS_TYPE_PTR, rbt1, reply, replysize, outlen, &retcount, q->aa);
if (tmplen == 0) {
+ /* we're forwarding and had no RRSIG return with -1 */
+ if (q->aa != 1)
+ return -1;
+
NTOHS(odh->query);
SET_DNS_TRUNCATION(odh);
HTONS(odh->query);
@@ -2952,6 +3037,10 @@ reply_ptr(struct sreply *sreply, ddDB *db)
tmplen = additional_rrsig(q->hdr->name, q->hdr->namelen, DNS_TYPE_PTR, rbt, reply, replysize, outlen, &retcount, q->aa);
if (tmplen == 0) {
+ /* we're forwarding and had no RRSIG return with -1 */
+ if (q->aa != 1)
+ return -1;
+
NTOHS(odh->query);
SET_DNS_TRUNCATION(odh);
HTONS(odh->query);
@@ -3212,6 +3301,10 @@ reply_soa(struct sreply *sreply, ddDB *db)
tmplen = additional_rrsig(q->hdr->name, q->hdr->namelen, DNS_TYPE_SOA, rbt, reply, replysize, outlen, &retcount, q->aa);
if (tmplen == 0) {
+ /* we're forwarding and had no RRSIG return with -1 */
+ if (q->aa != 1)
+ return -1;
+
NTOHS(odh->query);
SET_DNS_TRUNCATION(odh);
HTONS(odh->query);
@@ -3421,6 +3514,10 @@ reply_txt(struct sreply *sreply, ddDB *db)
tmplen = additional_rrsig(q->hdr->name, q->hdr->namelen, DNS_TYPE_TXT, rbt, reply, replysize, outlen, &retcount, q->aa);
if (tmplen == 0) {
+ /* we're forwarding and had no RRSIG return with -1 */
+ if (q->aa != 1)
+ return -1;
+
NTOHS(odh->query);
SET_DNS_TRUNCATION(odh);
HTONS(odh->query);
@@ -3756,6 +3853,10 @@ reply_tlsa(struct sreply *sreply, ddDB *db)
tmplen = additional_rrsig(q->hdr->name, q->hdr->namelen, DNS_TYPE_TLSA, rbt, reply, replysize, outlen, &retcount, q->aa);
if (tmplen == 0) {
+ /* we're forwarding and had no RRSIG return with -1 */
+ if (q->aa != 1)
+ return -1;
+
NTOHS(odh->query);
SET_DNS_TRUNCATION(odh);
HTONS(odh->query);
@@ -3955,6 +4056,10 @@ reply_sshfp(struct sreply *sreply, ddDB *db)
tmplen = additional_rrsig(q->hdr->name, q->hdr->namelen, DNS_TYPE_SSHFP, rbt, reply, replysize, outlen, &retcount, q->aa);
if (tmplen == 0) {
+ /* we're forwarding and had no RRSIG return with -1 */
+ if (q->aa != 1)
+ return -1;
+
NTOHS(odh->query);
SET_DNS_TRUNCATION(odh);
HTONS(odh->query);
@@ -4188,6 +4293,10 @@ reply_naptr(struct sreply *sreply, ddDB *db)
tmplen = additional_rrsig(q->hdr->name, q->hdr->namelen, DNS_TYPE_NAPTR, rbt, reply, replysize, outlen, &retcount, q->aa);
if (tmplen == 0) {
+ /* we're forwarding and had no RRSIG return with -1 */
+ if (q->aa != 1)
+ return -1;
+
NTOHS(odh->query);
SET_DNS_TRUNCATION(odh);
HTONS(odh->query);
@@ -4392,6 +4501,10 @@ reply_srv(struct sreply *sreply, ddDB *db)
tmplen = additional_rrsig(q->hdr->name, q->hdr->namelen, DNS_TYPE_SRV, rbt, reply, replysize, outlen, &retcount, q->aa);
if (tmplen == 0) {
+ /* we're forwarding and had no RRSIG return with -1 */
+ if (q->aa != 1)
+ return -1;
+
NTOHS(odh->query);
SET_DNS_TRUNCATION(odh);
HTONS(odh->query);
@@ -4764,6 +4877,10 @@ reply_nxdomain(struct sreply *sreply, ddDB *db)
tmplen = additional_rrsig(rbt->zone, rbt->zonelen, DNS_TYPE_SOA, rbt, reply, replysize, outlen, &retcount, q->aa);
if (tmplen == 0) {
+ /* we're forwarding and had no RRSIG return with -1 */
+ if (q->aa != 1)
+ return -1;
+
NTOHS(odh->query);
SET_DNS_TRUNCATION(odh);
HTONS(odh->query);
@@ -5494,6 +5611,10 @@ reply_noerror(struct sreply *sreply, ddDB *db)
tmplen = additional_rrsig(rbt->zone, rbt->zonelen, DNS_TYPE_SOA, rbt, reply, replysize, outlen, &retcount, q->aa);
if (tmplen == 0) {
+ /* we're forwarding and had no RRSIG return with -1 */
+ if (q->aa != 1)
+ return -1;
+
NTOHS(odh->query);
SET_DNS_TRUNCATION(odh);
HTONS(odh->query);
repomaster@centroid.eu