[LEDE-DEV] [PATCH v1] dnsmasq: bump to 2.79rc1
Hans Dedecker
dedeckeh at gmail.com
Sat Feb 17 13:11:00 PST 2018
On Thu, Feb 15, 2018 at 11:45 AM, Kevin Darbyshire-Bryant
<ldir at darbyshire-bryant.me.uk> wrote:
> 1721453 Remove special handling of A-for-A queries.
> 499d8dd Fix boundary for test introduced in 3e3f1029c9ec6c63e430ff51063a6301d4b2262
> 6f1cbfd Fix debian/readme typo.
> 55ecde7 Inotify: Ignore backup files created by editors
> 6b54d69 Make failure to chown() pidfile a warning.
> 246a31c Change ownership of pid file, to keep systemd happy.
> 83e4b73 Remove confusion between --user and --script-user.
> 6340ca7 Tweak heuristic for initial DNSSEC memory allocation.
> baf553d Default min-port to 1024 to avoid reserved ports.
> 486bcd5 Simplify and correct bindtodevice().
> be9a74d Close Debian bug for CVE-2017-15107.
> ffcbc0f Example config typo fixes.
> a969ba6 Special case NSEC processing for root DS record, to avoid spurious BOGUS.
> f178172 Add homepage to Debian control file.
> cd7df61 Fix DNSSEC validation errors introduced in 4fe6744a220eddd3f1749b40cac3dfc510787de6
> c1a4e25 Try to be a little more clever at falling back to smaller DNS packet sizes.
> 4fe6744 DNSSEC fix for wildcard NSEC records. CVE-2017-15107 applies.
> 3bd4c47 Remove limit on length of command-line options.
> 98196c4 Typo fix.
> 22cd860 Allow more than one --bridge-interface option to refer to an interface.
> 3c973ad Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC time validation.
> faaf306 Spelling fixes.
> c7e6aea Change references to gPXE to iPXE. Development of EtherBoot gPXE was always development of iPXE core developer Michael Brown.
> e541245 Handle duplicate RRs in DNSSEC validation.
> 84a01be Bump year in Debian copyright notice.
> d1ced3a Update copyrights to 2018.
> a6cee69 Fix exit code from dhcp_release6.
> 0039920 Severely fix code formating of contrib/lease-tools/dhcp_release6.c
> 39d8550 Run Debian startup regex in "C" locale.
> ef3d137 Fix infinite retries in strict-order mode.
> 8c707e1 Make 373e91738929a3d416e6292e65824184ba8428a6 compile without DNSSEC.
> 373e917 Fix a6004d7f17687ac2455f724d0b57098c413f128d to cope with >256 RRs in answer section.
> 74f0f9a Commment language tweaks.
> ed6bdb0 Man page typos.
> c88af04 Modify doc.html to mention git-over-http is now available.
> ae0187d Fix trust-anchor regexp in Debian init script.
> 0c50e3d Bump version in Debian package.
> 075366a Open inotify socket only when used.
> 8e8b2d6 Release notes update.
> 087eb76 Always return a SERVFAIL response to DNS queries with RD=0.
> ebedcba Typo in printf format string added in 22dee512f3738f87539a79aeb52b9e670b3bd104
> 0954a97 Remove RSA/MD5 DNSSEC algorithm.
> b77efc1 Tidy DNSSEC algorithm table use.
> 3b0cb34 Fix manpage which said ZSK but meant KSK.
> aa6f832 Add a few DNS RRs to the table.
> ad9c6f0 Add support for Ed25519 DNSSEC signature algorithm.
> a6004d7 Fix caching logic for validated answers.
> c366717 Tidy up add_resource_record() buffer size checks.
> 22dee51 Log DNS server max packet size reduction.
> 6fd5d79 Fix logic on EDNS0 headers.
> 9d6918d Use IP[V6]_UNICAST_IF socket option instead of SO_BINDTODEVICE for DNS.
> a49c5c2 Fix search_servers() segfault with DNSSEC.
> 30858e3 Spaces in CNAME options break parsing.
>
> Refresh patches.
> Remove upstreamed patches:
> 250-Fix-infinite-retries-in-strict-order-mode.patch
> 260-dnssec-SIGINT.patch
> 270-dnssec-wildcards.patch
>
> Signed-off-by: Kevin Darbyshire-Bryant <ldir at darbyshire-bryant.me.uk>
Thanks; patch applied to my staging tree
https://git.openwrt.org/?p=openwrt/staging/dedeckeh.git;a=commit;h=cc48ab251ce16da2e8ec4e13a29c0e8732980735
Hans
> ---
> package/network/services/dnsmasq/Makefile | 8 +-
> .../210-dnssec-improve-timestamp-heuristic.patch | 4 +-
> .../services/dnsmasq/patches/240-ubus.patch | 6 +-
> ...Fix-infinite-retries-in-strict-order-mode.patch | 45 -----
> .../dnsmasq/patches/260-dnssec-SIGINT.patch | 120 ------------
> .../dnsmasq/patches/270-dnssec-wildcards.patch | 202 ---------------------
> 6 files changed, 9 insertions(+), 376 deletions(-)
> delete mode 100644 package/network/services/dnsmasq/patches/250-Fix-infinite-retries-in-strict-order-mode.patch
> delete mode 100644 package/network/services/dnsmasq/patches/260-dnssec-SIGINT.patch
> delete mode 100644 package/network/services/dnsmasq/patches/270-dnssec-wildcards.patch
>
> diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile
> index 7ba7d56b52..46b68a24a6 100644
> --- a/package/network/services/dnsmasq/Makefile
> +++ b/package/network/services/dnsmasq/Makefile
> @@ -8,12 +8,12 @@
> include $(TOPDIR)/rules.mk
>
> PKG_NAME:=dnsmasq
> -PKG_VERSION:=2.78
> -PKG_RELEASE:=10
> +PKG_VERSION:=2.79rc1
> +PKG_RELEASE:=1
>
> PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
> -PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/
> -PKG_HASH:=89949f438c74b0c7543f06689c319484bd126cc4b1f8c745c742ab397681252b
> +PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/release-candidates/
> +PKG_HASH:=57d17a3a6cf34af5dcbc5107c45b05671bda9d250718fe073ca12c5f61099985
>
> PKG_LICENSE:=GPL-2.0
> PKG_LICENSE_FILES:=COPYING
> diff --git a/package/network/services/dnsmasq/patches/210-dnssec-improve-timestamp-heuristic.patch b/package/network/services/dnsmasq/patches/210-dnssec-improve-timestamp-heuristic.patch
> index 2f854d490b..be1195abbd 100644
> --- a/package/network/services/dnsmasq/patches/210-dnssec-improve-timestamp-heuristic.patch
> +++ b/package/network/services/dnsmasq/patches/210-dnssec-improve-timestamp-heuristic.patch
> @@ -10,7 +10,7 @@ Signed-off-by: Steven Barth <steven at midlink.org>
>
> --- a/src/dnssec.c
> +++ b/src/dnssec.c
> -@@ -462,17 +462,24 @@ static time_t timestamp_time;
> +@@ -143,17 +143,24 @@ static time_t timestamp_time;
> int setup_timestamp(void)
> {
> struct stat statbuf;
> @@ -36,7 +36,7 @@ Signed-off-by: Steven Barth <steven at midlink.org>
> {
> /* time already OK, update timestamp, and do key checking from the start. */
> if (utimes(daemon->timestamp_file, NULL) == -1)
> -@@ -493,7 +500,7 @@ int setup_timestamp(void)
> +@@ -174,7 +181,7 @@ int setup_timestamp(void)
>
> close(fd);
>
> diff --git a/package/network/services/dnsmasq/patches/240-ubus.patch b/package/network/services/dnsmasq/patches/240-ubus.patch
> index d21ca0dbaa..415c7a5e4c 100644
> --- a/package/network/services/dnsmasq/patches/240-ubus.patch
> +++ b/package/network/services/dnsmasq/patches/240-ubus.patch
> @@ -74,7 +74,7 @@
> int main (int argc, char **argv)
> {
> int bind_fallback = 0;
> -@@ -911,6 +971,7 @@ int main (int argc, char **argv)
> +@@ -928,6 +988,7 @@ int main (int argc, char **argv)
> set_dbus_listeners();
> #endif
>
> @@ -82,7 +82,7 @@
> #ifdef HAVE_DHCP
> if (daemon->dhcp || daemon->relay4)
> {
> -@@ -1041,6 +1102,8 @@ int main (int argc, char **argv)
> +@@ -1058,6 +1119,8 @@ int main (int argc, char **argv)
> check_dbus_listeners();
> #endif
>
> @@ -104,7 +104,7 @@
> mostly_clean :
> --- a/src/dnsmasq.h
> +++ b/src/dnsmasq.h
> -@@ -1397,6 +1397,8 @@ void emit_dbus_signal(int action, struct
> +@@ -1415,6 +1415,8 @@ void emit_dbus_signal(int action, struct
> # endif
> #endif
>
> diff --git a/package/network/services/dnsmasq/patches/250-Fix-infinite-retries-in-strict-order-mode.patch b/package/network/services/dnsmasq/patches/250-Fix-infinite-retries-in-strict-order-mode.patch
> deleted file mode 100644
> index faff680e03..0000000000
> --- a/package/network/services/dnsmasq/patches/250-Fix-infinite-retries-in-strict-order-mode.patch
> +++ /dev/null
> @@ -1,45 +0,0 @@
> -From ef3d137a646fa8309e1ff5184e3e145eef40cc4d Mon Sep 17 00:00:00 2001
> -From: Simon Kelley <simon at thekelleys.org.uk>
> -Date: Tue, 5 Dec 2017 22:37:29 +0000
> -Subject: [PATCH] Fix infinite retries in strict-order mode.
> -
> - If all configured dns servers return refused in
> - response to a query; dnsmasq will end up in an infinite loop
> - retransmitting the dns query resulting into high CPU load.
> - Problem is caused by the dns refuse retransmission logic which does
> - not check for the end of a dns server list iteration in strict mode.
> - Having one configured dns server returning a refused reply easily
> - triggers this problem in strict order mode. This was introduced in
> - 9396752c115b3ab733fa476b30da73237e12e7ba
> -
> - Thanks to Hans Dedecker <dedeckeh at gmail.com> for spotting this
> - and the initial patch.
> ----
> - src/forward.c | 14 ++++++++++++--
> - 1 file changed, 12 insertions(+), 2 deletions(-)
> -
> ---- a/src/forward.c
> -+++ b/src/forward.c
> -@@ -797,10 +797,20 @@ void reply_query(int fd, int family, tim
> - unsigned char *pheader;
> - size_t plen;
> - int is_sign;
> --
> -+
> -+ /* In strict order mode, there must be a server later in the chain
> -+ left to send to, otherwise without the forwardall mechanism,
> -+ code further on will cycle around the list forwever if they
> -+ all return REFUSED. Note that server is always non-NULL before
> -+ this executes. */
> -+ if (option_bool(OPT_ORDER))
> -+ for (server = forward->sentto->next; server; server = server->next)
> -+ if (!(server->flags & (SERV_LITERAL_ADDRESS | SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_NO_ADDR | SERV_LOOP)))
> -+ break;
> -+
> - /* recreate query from reply */
> - pheader = find_pseudoheader(header, (size_t)n, &plen, NULL, &is_sign, NULL);
> -- if (!is_sign)
> -+ if (!is_sign && server)
> - {
> - header->ancount = htons(0);
> - header->nscount = htons(0);
> diff --git a/package/network/services/dnsmasq/patches/260-dnssec-SIGINT.patch b/package/network/services/dnsmasq/patches/260-dnssec-SIGINT.patch
> deleted file mode 100644
> index e280142f75..0000000000
> --- a/package/network/services/dnsmasq/patches/260-dnssec-SIGINT.patch
> +++ /dev/null
> @@ -1,120 +0,0 @@
> -From 3c973ad92d317df736d5a8fde67baba6b102d91e Mon Sep 17 00:00:00 2001
> -From: Simon Kelley <simon at thekelleys.org.uk>
> -Date: Sun, 14 Jan 2018 21:05:37 +0000
> -Subject: [PATCH] Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC
> - time validation.
> -
> ----
> - src/dnsmasq.c | 36 +++++++++++++++++++++++++-----------
> - src/dnsmasq.h | 1 +
> - src/helper.c | 3 ++-
> - 5 files changed, 38 insertions(+), 14 deletions(-)
> -
> ---- a/src/dnsmasq.c
> -+++ b/src/dnsmasq.c
> -@@ -137,7 +137,8 @@ int main (int argc, char **argv)
> - sigaction(SIGTERM, &sigact, NULL);
> - sigaction(SIGALRM, &sigact, NULL);
> - sigaction(SIGCHLD, &sigact, NULL);
> --
> -+ sigaction(SIGINT, &sigact, NULL);
> -+
> - /* ignore SIGPIPE */
> - sigact.sa_handler = SIG_IGN;
> - sigaction(SIGPIPE, &sigact, NULL);
> -@@ -815,7 +816,7 @@ int main (int argc, char **argv)
> -
> - daemon->dnssec_no_time_check = option_bool(OPT_DNSSEC_TIME);
> - if (option_bool(OPT_DNSSEC_TIME) && !daemon->back_to_the_future)
> -- my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until first cache reload"));
> -+ my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until receipt of SIGINT"));
> -
> - if (rc == 1)
> - my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until system time valid"));
> -@@ -1142,7 +1143,7 @@ static void sig_handler(int sig)
> - {
> - /* ignore anything other than TERM during startup
> - and in helper proc. (helper ignore TERM too) */
> -- if (sig == SIGTERM)
> -+ if (sig == SIGTERM || sig == SIGINT)
> - exit(EC_MISC);
> - }
> - else if (pid != getpid())
> -@@ -1168,6 +1169,15 @@ static void sig_handler(int sig)
> - event = EVENT_DUMP;
> - else if (sig == SIGUSR2)
> - event = EVENT_REOPEN;
> -+ else if (sig == SIGINT)
> -+ {
> -+ /* Handle SIGINT normally in debug mode, so
> -+ ctrl-c continues to operate. */
> -+ if (option_bool(OPT_DEBUG))
> -+ exit(EC_MISC);
> -+ else
> -+ event = EVENT_TIME;
> -+ }
> - else
> - return;
> -
> -@@ -1295,14 +1305,7 @@ static void async_event(int pipe, time_t
> - {
> - case EVENT_RELOAD:
> - daemon->soa_sn++; /* Bump zone serial, as it may have changed. */
> --
> --#ifdef HAVE_DNSSEC
> -- if (daemon->dnssec_no_time_check && option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME))
> -- {
> -- my_syslog(LOG_INFO, _("now checking DNSSEC signature timestamps"));
> -- daemon->dnssec_no_time_check = 0;
> -- }
> --#endif
> -+
> - /* fall through */
> -
> - case EVENT_INIT:
> -@@ -1411,6 +1414,17 @@ static void async_event(int pipe, time_t
> - poll_resolv(0, 1, now);
> - break;
> -
> -+ case EVENT_TIME:
> -+#ifdef HAVE_DNSSEC
> -+ if (daemon->dnssec_no_time_check && option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME))
> -+ {
> -+ my_syslog(LOG_INFO, _("now checking DNSSEC signature timestamps"));
> -+ daemon->dnssec_no_time_check = 0;
> -+ clear_cache_and_reload(now);
> -+ }
> -+#endif
> -+ break;
> -+
> - case EVENT_TERM:
> - /* Knock all our children on the head. */
> - for (i = 0; i < MAX_PROCS; i++)
> ---- a/src/dnsmasq.h
> -+++ b/src/dnsmasq.h
> -@@ -175,6 +175,7 @@ struct event_desc {
> - #define EVENT_NEWROUTE 23
> - #define EVENT_TIME_ERR 24
> - #define EVENT_SCRIPT_LOG 25
> -+#define EVENT_TIME 26
> -
> - /* Exit codes. */
> - #define EC_GOOD 0
> ---- a/src/helper.c
> -+++ b/src/helper.c
> -@@ -97,13 +97,14 @@ int create_helper(int event_fd, int err_
> - return pipefd[1];
> - }
> -
> -- /* ignore SIGTERM, so that we can clean up when the main process gets hit
> -+ /* ignore SIGTERM and SIGINT, so that we can clean up when the main process gets hit
> - and SIGALRM so that we can use sleep() */
> - sigact.sa_handler = SIG_IGN;
> - sigact.sa_flags = 0;
> - sigemptyset(&sigact.sa_mask);
> - sigaction(SIGTERM, &sigact, NULL);
> - sigaction(SIGALRM, &sigact, NULL);
> -+ sigaction(SIGINT, &sigact, NULL);
> -
> - if (!option_bool(OPT_DEBUG) && uid != 0)
> - {
> diff --git a/package/network/services/dnsmasq/patches/270-dnssec-wildcards.patch b/package/network/services/dnsmasq/patches/270-dnssec-wildcards.patch
> deleted file mode 100644
> index d13ac2cbad..0000000000
> --- a/package/network/services/dnsmasq/patches/270-dnssec-wildcards.patch
> +++ /dev/null
> @@ -1,202 +0,0 @@
> -From 4fe6744a220eddd3f1749b40cac3dfc510787de6 Mon Sep 17 00:00:00 2001
> -From: Simon Kelley <simon at thekelleys.org.uk>
> -Date: Fri, 19 Jan 2018 12:26:08 +0000
> -Subject: [PATCH] DNSSEC fix for wildcard NSEC records. CVE-2017-15107
> - applies.
> -
> -It's OK for NSEC records to be expanded from wildcards,
> -but in that case, the proof of non-existence is only valid
> -starting at the wildcard name, *.<domain> NOT the name expanded
> -from the wildcard. Without this check it's possible for an
> -attacker to craft an NSEC which wrongly proves non-existence
> -in a domain which includes a wildcard for NSEC.
> ----
> - src/dnssec.c | 117 +++++++++++++++++++++++++++++++++++++++++++++++++++-------
> - 2 files changed, 114 insertions(+), 15 deletions(-)
> -
> ---- a/src/dnssec.c
> -+++ b/src/dnssec.c
> -@@ -424,15 +424,17 @@ static void from_wire(char *name)
> - static int count_labels(char *name)
> - {
> - int i;
> --
> -+ char *p;
> -+
> - if (*name == 0)
> - return 0;
> -
> -- for (i = 0; *name; name++)
> -- if (*name == '.')
> -+ for (p = name, i = 0; *p; p++)
> -+ if (*p == '.')
> - i++;
> -
> -- return i+1;
> -+ /* Don't count empty first label. */
> -+ return *name == '.' ? i : i+1;
> - }
> -
> - /* Implement RFC1982 wrapped compare for 32-bit numbers */
> -@@ -1412,8 +1414,8 @@ static int hostname_cmp(const char *a, c
> - }
> - }
> -
> --static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsigned char **nsecs, int nsec_count,
> -- char *workspace1, char *workspace2, char *name, int type, int *nons)
> -+static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsigned char **nsecs, unsigned char **labels, int nsec_count,
> -+ char *workspace1_in, char *workspace2, char *name, int type, int *nons)
> - {
> - int i, rc, rdlen;
> - unsigned char *p, *psave;
> -@@ -1426,6 +1428,9 @@ static int prove_non_existence_nsec(stru
> - /* Find NSEC record that proves name doesn't exist */
> - for (i = 0; i < nsec_count; i++)
> - {
> -+ char *workspace1 = workspace1_in;
> -+ int sig_labels, name_labels;
> -+
> - p = nsecs[i];
> - if (!extract_name(header, plen, &p, workspace1, 1, 10))
> - return 0;
> -@@ -1434,7 +1439,27 @@ static int prove_non_existence_nsec(stru
> - psave = p;
> - if (!extract_name(header, plen, &p, workspace2, 1, 10))
> - return 0;
> --
> -+
> -+ /* If NSEC comes from wildcard expansion, use original wildcard
> -+ as name for computation. */
> -+ sig_labels = *labels[i];
> -+ name_labels = count_labels(workspace1);
> -+
> -+ if (sig_labels < name_labels)
> -+ {
> -+ int k;
> -+ for (k = name_labels - sig_labels; k != 0; k--)
> -+ {
> -+ while (*workspace1 != '.' && *workspace1 != 0)
> -+ workspace1++;
> -+ if (k != 1 && *workspace1 == '.')
> -+ workspace1++;
> -+ }
> -+
> -+ workspace1--;
> -+ *workspace1 = '*';
> -+ }
> -+
> - rc = hostname_cmp(workspace1, name);
> -
> - if (rc == 0)
> -@@ -1832,24 +1857,26 @@ static int prove_non_existence_nsec3(str
> -
> - static int prove_non_existence(struct dns_header *header, size_t plen, char *keyname, char *name, int qtype, int qclass, char *wildname, int *nons)
> - {
> -- static unsigned char **nsecset = NULL;
> -- static int nsecset_sz = 0;
> -+ static unsigned char **nsecset = NULL, **rrsig_labels = NULL;
> -+ static int nsecset_sz = 0, rrsig_labels_sz = 0;
> -
> - int type_found = 0;
> -- unsigned char *p = skip_questions(header, plen);
> -+ unsigned char *auth_start, *p = skip_questions(header, plen);
> - int type, class, rdlen, i, nsecs_found;
> -
> - /* Move to NS section */
> - if (!p || !(p = skip_section(p, ntohs(header->ancount), header, plen)))
> - return 0;
> -+
> -+ auth_start = p;
> -
> - for (nsecs_found = 0, i = ntohs(header->nscount); i != 0; i--)
> - {
> - unsigned char *pstart = p;
> -
> -- if (!(p = skip_name(p, header, plen, 10)))
> -+ if (!extract_name(header, plen, &p, daemon->workspacename, 1, 10))
> - return 0;
> --
> -+
> - GETSHORT(type, p);
> - GETSHORT(class, p);
> - p += 4; /* TTL */
> -@@ -1866,7 +1893,69 @@ static int prove_non_existence(struct dn
> - if (!expand_workspace(&nsecset, &nsecset_sz, nsecs_found))
> - return 0;
> -
> -- nsecset[nsecs_found++] = pstart;
> -+ if (type == T_NSEC)
> -+ {
> -+ /* If we're looking for NSECs, find the corresponding SIGs, to
> -+ extract the labels value, which we need in case the NSECs
> -+ are the result of wildcard expansion.
> -+ Note that the NSEC may not have been validated yet
> -+ so if there are multiple SIGs, make sure the label value
> -+ is the same in all, to avoid be duped by a rogue one.
> -+ If there are no SIGs, that's an error */
> -+ unsigned char *p1 = auth_start;
> -+ int res, j, rdlen1, type1, class1;
> -+
> -+ if (!expand_workspace(&rrsig_labels, &rrsig_labels_sz, nsecs_found))
> -+ return 0;
> -+
> -+ rrsig_labels[nsecs_found] = NULL;
> -+
> -+ for (j = ntohs(header->nscount); j != 0; j--)
> -+ {
> -+ if (!(res = extract_name(header, plen, &p1, daemon->workspacename, 0, 10)))
> -+ return 0;
> -+
> -+ GETSHORT(type1, p1);
> -+ GETSHORT(class1, p1);
> -+ p1 += 4; /* TTL */
> -+ GETSHORT(rdlen1, p1);
> -+
> -+ if (!CHECK_LEN(header, p1, plen, rdlen1))
> -+ return 0;
> -+
> -+ if (res == 1 && class1 == qclass && type1 == T_RRSIG)
> -+ {
> -+ int type_covered;
> -+ unsigned char *psav = p1;
> -+
> -+ if (rdlen1 < 18)
> -+ return 0; /* bad packet */
> -+
> -+ GETSHORT(type_covered, p1);
> -+
> -+ if (type_covered == T_NSEC)
> -+ {
> -+ p1++; /* algo */
> -+
> -+ /* labels field must be the same in every SIG we find. */
> -+ if (!rrsig_labels[nsecs_found])
> -+ rrsig_labels[nsecs_found] = p1;
> -+ else if (*rrsig_labels[nsecs_found] != *p1) /* algo */
> -+ return 0;
> -+ }
> -+ p1 = psav;
> -+ }
> -+
> -+ if (!ADD_RDLEN(header, p1, plen, rdlen1))
> -+ return 0;
> -+ }
> -+
> -+ /* Must have found at least one sig. */
> -+ if (!rrsig_labels[nsecs_found])
> -+ return 0;
> -+ }
> -+
> -+ nsecset[nsecs_found++] = pstart;
> - }
> -
> - if (!ADD_RDLEN(header, p, plen, rdlen))
> -@@ -1874,7 +1963,7 @@ static int prove_non_existence(struct dn
> - }
> -
> - if (type_found == T_NSEC)
> -- return prove_non_existence_nsec(header, plen, nsecset, nsecs_found, daemon->workspacename, keyname, name, qtype, nons);
> -+ return prove_non_existence_nsec(header, plen, nsecset, rrsig_labels, nsecs_found, daemon->workspacename, keyname, name, qtype, nons);
> - else if (type_found == T_NSEC3)
> - return prove_non_existence_nsec3(header, plen, nsecset, nsecs_found, daemon->workspacename, keyname, name, qtype, wildname, nons);
> - else
> --
> 2.14.3 (Apple Git-98)
>
>
> _______________________________________________
> Lede-dev mailing list
> Lede-dev at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/lede-dev
More information about the Lede-dev
mailing list