[LEDE-DEV] [PATCH v1] dnsmasq: bump to 2.79rc1

Hans Dedecker dedeckeh at gmail.com
Sat Feb 17 13:11:00 PST 2018


On Thu, Feb 15, 2018 at 11:45 AM, Kevin Darbyshire-Bryant
<ldir at darbyshire-bryant.me.uk> wrote:
> 1721453 Remove special handling of A-for-A queries.
> 499d8dd Fix boundary for test introduced in 3e3f1029c9ec6c63e430ff51063a6301d4b2262
> 6f1cbfd Fix debian/readme typo.
> 55ecde7 Inotify: Ignore backup files created by editors
> 6b54d69 Make failure to chown() pidfile a warning.
> 246a31c Change ownership of pid file, to keep systemd happy.
> 83e4b73 Remove confusion between --user and --script-user.
> 6340ca7 Tweak heuristic for initial DNSSEC memory allocation.
> baf553d Default min-port to 1024 to avoid reserved ports.
> 486bcd5 Simplify and correct bindtodevice().
> be9a74d Close Debian bug for CVE-2017-15107.
> ffcbc0f Example config typo fixes.
> a969ba6 Special case NSEC processing for root DS record, to avoid spurious BOGUS.
> f178172 Add homepage to Debian control file.
> cd7df61 Fix DNSSEC validation errors introduced in 4fe6744a220eddd3f1749b40cac3dfc510787de6
> c1a4e25 Try to be a little more clever at falling back to smaller DNS packet sizes.
> 4fe6744 DNSSEC fix for wildcard NSEC records. CVE-2017-15107 applies.
> 3bd4c47 Remove limit on length of command-line options.
> 98196c4 Typo fix.
> 22cd860  Allow more than one --bridge-interface option to refer to an interface.
> 3c973ad Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC time validation.
> faaf306 Spelling fixes.
> c7e6aea Change references to gPXE to iPXE. Development of EtherBoot gPXE was always development of iPXE core developer Michael Brown.
> e541245 Handle duplicate RRs in DNSSEC validation.
> 84a01be Bump year in Debian copyright notice.
> d1ced3a Update copyrights to 2018.
> a6cee69 Fix exit code from dhcp_release6.
> 0039920 Severely fix code formating of contrib/lease-tools/dhcp_release6.c
> 39d8550 Run Debian startup regex in "C" locale.
> ef3d137 Fix infinite retries in strict-order mode.
> 8c707e1 Make 373e91738929a3d416e6292e65824184ba8428a6 compile without DNSSEC.
> 373e917 Fix a6004d7f17687ac2455f724d0b57098c413f128d to cope with >256 RRs in answer section.
> 74f0f9a Commment language tweaks.
> ed6bdb0 Man page typos.
> c88af04 Modify doc.html to mention git-over-http is now available.
> ae0187d Fix trust-anchor regexp in Debian init script.
> 0c50e3d Bump version in Debian package.
> 075366a Open inotify socket only when used.
> 8e8b2d6 Release notes update.
> 087eb76 Always return a SERVFAIL response to DNS queries with RD=0.
> ebedcba Typo in printf format string added in 22dee512f3738f87539a79aeb52b9e670b3bd104
> 0954a97 Remove RSA/MD5 DNSSEC algorithm.
> b77efc1 Tidy DNSSEC algorithm table use.
> 3b0cb34 Fix manpage which said ZSK but meant KSK.
> aa6f832 Add a few DNS RRs to the table.
> ad9c6f0 Add support for Ed25519 DNSSEC signature algorithm.
> a6004d7 Fix caching logic for validated answers.
> c366717 Tidy up add_resource_record() buffer size checks.
> 22dee51 Log DNS server max packet size reduction.
> 6fd5d79 Fix logic on EDNS0 headers.
> 9d6918d Use IP[V6]_UNICAST_IF socket option instead of SO_BINDTODEVICE for DNS.
> a49c5c2 Fix search_servers() segfault with DNSSEC.
> 30858e3 Spaces in CNAME options break parsing.
>
> Refresh patches.
> Remove upstreamed patches:
>         250-Fix-infinite-retries-in-strict-order-mode.patch
>         260-dnssec-SIGINT.patch
>         270-dnssec-wildcards.patch
>
> Signed-off-by: Kevin Darbyshire-Bryant <ldir at darbyshire-bryant.me.uk>
Thanks; patch applied to my staging tree
https://git.openwrt.org/?p=openwrt/staging/dedeckeh.git;a=commit;h=cc48ab251ce16da2e8ec4e13a29c0e8732980735

Hans
> ---
>  package/network/services/dnsmasq/Makefile          |   8 +-
>  .../210-dnssec-improve-timestamp-heuristic.patch   |   4 +-
>  .../services/dnsmasq/patches/240-ubus.patch        |   6 +-
>  ...Fix-infinite-retries-in-strict-order-mode.patch |  45 -----
>  .../dnsmasq/patches/260-dnssec-SIGINT.patch        | 120 ------------
>  .../dnsmasq/patches/270-dnssec-wildcards.patch     | 202 ---------------------
>  6 files changed, 9 insertions(+), 376 deletions(-)
>  delete mode 100644 package/network/services/dnsmasq/patches/250-Fix-infinite-retries-in-strict-order-mode.patch
>  delete mode 100644 package/network/services/dnsmasq/patches/260-dnssec-SIGINT.patch
>  delete mode 100644 package/network/services/dnsmasq/patches/270-dnssec-wildcards.patch
>
> diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile
> index 7ba7d56b52..46b68a24a6 100644
> --- a/package/network/services/dnsmasq/Makefile
> +++ b/package/network/services/dnsmasq/Makefile
> @@ -8,12 +8,12 @@
>  include $(TOPDIR)/rules.mk
>
>  PKG_NAME:=dnsmasq
> -PKG_VERSION:=2.78
> -PKG_RELEASE:=10
> +PKG_VERSION:=2.79rc1
> +PKG_RELEASE:=1
>
>  PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
> -PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/
> -PKG_HASH:=89949f438c74b0c7543f06689c319484bd126cc4b1f8c745c742ab397681252b
> +PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/release-candidates/
> +PKG_HASH:=57d17a3a6cf34af5dcbc5107c45b05671bda9d250718fe073ca12c5f61099985
>
>  PKG_LICENSE:=GPL-2.0
>  PKG_LICENSE_FILES:=COPYING
> diff --git a/package/network/services/dnsmasq/patches/210-dnssec-improve-timestamp-heuristic.patch b/package/network/services/dnsmasq/patches/210-dnssec-improve-timestamp-heuristic.patch
> index 2f854d490b..be1195abbd 100644
> --- a/package/network/services/dnsmasq/patches/210-dnssec-improve-timestamp-heuristic.patch
> +++ b/package/network/services/dnsmasq/patches/210-dnssec-improve-timestamp-heuristic.patch
> @@ -10,7 +10,7 @@ Signed-off-by: Steven Barth <steven at midlink.org>
>
>  --- a/src/dnssec.c
>  +++ b/src/dnssec.c
> -@@ -462,17 +462,24 @@ static time_t timestamp_time;
> +@@ -143,17 +143,24 @@ static time_t timestamp_time;
>   int setup_timestamp(void)
>   {
>     struct stat statbuf;
> @@ -36,7 +36,7 @@ Signed-off-by: Steven Barth <steven at midlink.org>
>         {
>           /* time already OK, update timestamp, and do key checking from the start. */
>           if (utimes(daemon->timestamp_file, NULL) == -1)
> -@@ -493,7 +500,7 @@ int setup_timestamp(void)
> +@@ -174,7 +181,7 @@ int setup_timestamp(void)
>
>           close(fd);
>
> diff --git a/package/network/services/dnsmasq/patches/240-ubus.patch b/package/network/services/dnsmasq/patches/240-ubus.patch
> index d21ca0dbaa..415c7a5e4c 100644
> --- a/package/network/services/dnsmasq/patches/240-ubus.patch
> +++ b/package/network/services/dnsmasq/patches/240-ubus.patch
> @@ -74,7 +74,7 @@
>   int main (int argc, char **argv)
>   {
>     int bind_fallback = 0;
> -@@ -911,6 +971,7 @@ int main (int argc, char **argv)
> +@@ -928,6 +988,7 @@ int main (int argc, char **argv)
>         set_dbus_listeners();
>   #endif
>
> @@ -82,7 +82,7 @@
>   #ifdef HAVE_DHCP
>         if (daemon->dhcp || daemon->relay4)
>         {
> -@@ -1041,6 +1102,8 @@ int main (int argc, char **argv)
> +@@ -1058,6 +1119,8 @@ int main (int argc, char **argv)
>         check_dbus_listeners();
>   #endif
>
> @@ -104,7 +104,7 @@
>   mostly_clean :
>  --- a/src/dnsmasq.h
>  +++ b/src/dnsmasq.h
> -@@ -1397,6 +1397,8 @@ void emit_dbus_signal(int action, struct
> +@@ -1415,6 +1415,8 @@ void emit_dbus_signal(int action, struct
>   #  endif
>   #endif
>
> diff --git a/package/network/services/dnsmasq/patches/250-Fix-infinite-retries-in-strict-order-mode.patch b/package/network/services/dnsmasq/patches/250-Fix-infinite-retries-in-strict-order-mode.patch
> deleted file mode 100644
> index faff680e03..0000000000
> --- a/package/network/services/dnsmasq/patches/250-Fix-infinite-retries-in-strict-order-mode.patch
> +++ /dev/null
> @@ -1,45 +0,0 @@
> -From ef3d137a646fa8309e1ff5184e3e145eef40cc4d Mon Sep 17 00:00:00 2001
> -From: Simon Kelley <simon at thekelleys.org.uk>
> -Date: Tue, 5 Dec 2017 22:37:29 +0000
> -Subject: [PATCH] Fix infinite retries in strict-order mode.
> -
> - If all configured dns servers return refused in
> - response to a query; dnsmasq will end up in an infinite loop
> - retransmitting the dns query resulting into high CPU load.
> - Problem is caused by the dns refuse retransmission logic which does
> - not check for the end of a dns server list iteration in strict mode.
> - Having one configured dns server returning a refused reply easily
> - triggers this problem in strict order mode. This was introduced in
> - 9396752c115b3ab733fa476b30da73237e12e7ba
> -
> - Thanks to Hans Dedecker <dedeckeh at gmail.com> for spotting this
> - and the initial patch.
> ----
> - src/forward.c | 14 ++++++++++++--
> - 1 file changed, 12 insertions(+), 2 deletions(-)
> -
> ---- a/src/forward.c
> -+++ b/src/forward.c
> -@@ -797,10 +797,20 @@ void reply_query(int fd, int family, tim
> -       unsigned char *pheader;
> -       size_t plen;
> -       int is_sign;
> --
> -+
> -+      /* In strict order mode, there must be a server later in the chain
> -+       left to send to, otherwise without the forwardall mechanism,
> -+       code further on will cycle around the list forwever if they
> -+       all return REFUSED. Note that server is always non-NULL before
> -+       this executes. */
> -+      if (option_bool(OPT_ORDER))
> -+      for (server = forward->sentto->next; server; server = server->next)
> -+        if (!(server->flags & (SERV_LITERAL_ADDRESS | SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_NO_ADDR | SERV_LOOP)))
> -+          break;
> -+
> -       /* recreate query from reply */
> -       pheader = find_pseudoheader(header, (size_t)n, &plen, NULL, &is_sign, NULL);
> --      if (!is_sign)
> -+      if (!is_sign && server)
> -       {
> -         header->ancount = htons(0);
> -         header->nscount = htons(0);
> diff --git a/package/network/services/dnsmasq/patches/260-dnssec-SIGINT.patch b/package/network/services/dnsmasq/patches/260-dnssec-SIGINT.patch
> deleted file mode 100644
> index e280142f75..0000000000
> --- a/package/network/services/dnsmasq/patches/260-dnssec-SIGINT.patch
> +++ /dev/null
> @@ -1,120 +0,0 @@
> -From 3c973ad92d317df736d5a8fde67baba6b102d91e Mon Sep 17 00:00:00 2001
> -From: Simon Kelley <simon at thekelleys.org.uk>
> -Date: Sun, 14 Jan 2018 21:05:37 +0000
> -Subject: [PATCH] Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC
> - time validation.
> -
> ----
> - src/dnsmasq.c |   36 +++++++++++++++++++++++++-----------
> - src/dnsmasq.h |    1 +
> - src/helper.c  |    3 ++-
> - 5 files changed, 38 insertions(+), 14 deletions(-)
> -
> ---- a/src/dnsmasq.c
> -+++ b/src/dnsmasq.c
> -@@ -137,7 +137,8 @@ int main (int argc, char **argv)
> -   sigaction(SIGTERM, &sigact, NULL);
> -   sigaction(SIGALRM, &sigact, NULL);
> -   sigaction(SIGCHLD, &sigact, NULL);
> --
> -+  sigaction(SIGINT, &sigact, NULL);
> -+
> -   /* ignore SIGPIPE */
> -   sigact.sa_handler = SIG_IGN;
> -   sigaction(SIGPIPE, &sigact, NULL);
> -@@ -815,7 +816,7 @@ int main (int argc, char **argv)
> -
> -       daemon->dnssec_no_time_check = option_bool(OPT_DNSSEC_TIME);
> -       if (option_bool(OPT_DNSSEC_TIME) && !daemon->back_to_the_future)
> --      my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until first cache reload"));
> -+      my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until receipt of SIGINT"));
> -
> -       if (rc == 1)
> -       my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until system time valid"));
> -@@ -1142,7 +1143,7 @@ static void sig_handler(int sig)
> -     {
> -       /* ignore anything other than TERM during startup
> -        and in helper proc. (helper ignore TERM too) */
> --      if (sig == SIGTERM)
> -+      if (sig == SIGTERM || sig == SIGINT)
> -       exit(EC_MISC);
> -     }
> -   else if (pid != getpid())
> -@@ -1168,6 +1169,15 @@ static void sig_handler(int sig)
> -       event = EVENT_DUMP;
> -       else if (sig == SIGUSR2)
> -       event = EVENT_REOPEN;
> -+      else if (sig == SIGINT)
> -+      {
> -+        /* Handle SIGINT normally in debug mode, so
> -+           ctrl-c continues to operate. */
> -+        if (option_bool(OPT_DEBUG))
> -+          exit(EC_MISC);
> -+        else
> -+          event = EVENT_TIME;
> -+      }
> -       else
> -       return;
> -
> -@@ -1295,14 +1305,7 @@ static void async_event(int pipe, time_t
> -       {
> -       case EVENT_RELOAD:
> -       daemon->soa_sn++; /* Bump zone serial, as it may have changed. */
> --
> --#ifdef HAVE_DNSSEC
> --      if (daemon->dnssec_no_time_check && option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME))
> --        {
> --          my_syslog(LOG_INFO, _("now checking DNSSEC signature timestamps"));
> --          daemon->dnssec_no_time_check = 0;
> --        }
> --#endif
> -+
> -       /* fall through */
> -
> -       case EVENT_INIT:
> -@@ -1411,6 +1414,17 @@ static void async_event(int pipe, time_t
> -       poll_resolv(0, 1, now);
> -       break;
> -
> -+      case EVENT_TIME:
> -+#ifdef HAVE_DNSSEC
> -+      if (daemon->dnssec_no_time_check && option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME))
> -+        {
> -+          my_syslog(LOG_INFO, _("now checking DNSSEC signature timestamps"));
> -+          daemon->dnssec_no_time_check = 0;
> -+          clear_cache_and_reload(now);
> -+        }
> -+#endif
> -+      break;
> -+
> -       case EVENT_TERM:
> -       /* Knock all our children on the head. */
> -       for (i = 0; i < MAX_PROCS; i++)
> ---- a/src/dnsmasq.h
> -+++ b/src/dnsmasq.h
> -@@ -175,6 +175,7 @@ struct event_desc {
> - #define EVENT_NEWROUTE   23
> - #define EVENT_TIME_ERR   24
> - #define EVENT_SCRIPT_LOG 25
> -+#define EVENT_TIME       26
> -
> - /* Exit codes. */
> - #define EC_GOOD        0
> ---- a/src/helper.c
> -+++ b/src/helper.c
> -@@ -97,13 +97,14 @@ int create_helper(int event_fd, int err_
> -       return pipefd[1];
> -     }
> -
> --  /* ignore SIGTERM, so that we can clean up when the main process gets hit
> -+  /* ignore SIGTERM and SIGINT, so that we can clean up when the main process gets hit
> -      and SIGALRM so that we can use sleep() */
> -   sigact.sa_handler = SIG_IGN;
> -   sigact.sa_flags = 0;
> -   sigemptyset(&sigact.sa_mask);
> -   sigaction(SIGTERM, &sigact, NULL);
> -   sigaction(SIGALRM, &sigact, NULL);
> -+  sigaction(SIGINT, &sigact, NULL);
> -
> -   if (!option_bool(OPT_DEBUG) && uid != 0)
> -     {
> diff --git a/package/network/services/dnsmasq/patches/270-dnssec-wildcards.patch b/package/network/services/dnsmasq/patches/270-dnssec-wildcards.patch
> deleted file mode 100644
> index d13ac2cbad..0000000000
> --- a/package/network/services/dnsmasq/patches/270-dnssec-wildcards.patch
> +++ /dev/null
> @@ -1,202 +0,0 @@
> -From 4fe6744a220eddd3f1749b40cac3dfc510787de6 Mon Sep 17 00:00:00 2001
> -From: Simon Kelley <simon at thekelleys.org.uk>
> -Date: Fri, 19 Jan 2018 12:26:08 +0000
> -Subject: [PATCH] DNSSEC fix for wildcard NSEC records. CVE-2017-15107
> - applies.
> -
> -It's OK for NSEC records to be expanded from wildcards,
> -but in that case, the proof of non-existence is only valid
> -starting at the wildcard name, *.<domain> NOT the name expanded
> -from the wildcard. Without this check it's possible for an
> -attacker to craft an NSEC which wrongly proves non-existence
> -in a domain which includes a wildcard for NSEC.
> ----
> - src/dnssec.c |  117 +++++++++++++++++++++++++++++++++++++++++++++++++++-------
> - 2 files changed, 114 insertions(+), 15 deletions(-)
> -
> ---- a/src/dnssec.c
> -+++ b/src/dnssec.c
> -@@ -424,15 +424,17 @@ static void from_wire(char *name)
> - static int count_labels(char *name)
> - {
> -   int i;
> --
> -+  char *p;
> -+
> -   if (*name == 0)
> -     return 0;
> -
> --  for (i = 0; *name; name++)
> --    if (*name == '.')
> -+  for (p = name, i = 0; *p; p++)
> -+    if (*p == '.')
> -       i++;
> -
> --  return i+1;
> -+  /* Don't count empty first label. */
> -+  return *name == '.' ? i : i+1;
> - }
> -
> - /* Implement RFC1982 wrapped compare for 32-bit numbers */
> -@@ -1412,8 +1414,8 @@ static int hostname_cmp(const char *a, c
> -     }
> - }
> -
> --static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsigned char **nsecs, int nsec_count,
> --                                  char *workspace1, char *workspace2, char *name, int type, int *nons)
> -+static int prove_non_existence_nsec(struct dns_header *header, size_t plen, unsigned char **nsecs, unsigned char **labels, int nsec_count,
> -+                                  char *workspace1_in, char *workspace2, char *name, int type, int *nons)
> - {
> -   int i, rc, rdlen;
> -   unsigned char *p, *psave;
> -@@ -1426,6 +1428,9 @@ static int prove_non_existence_nsec(stru
> -   /* Find NSEC record that proves name doesn't exist */
> -   for (i = 0; i < nsec_count; i++)
> -     {
> -+      char *workspace1 = workspace1_in;
> -+      int sig_labels, name_labels;
> -+
> -       p = nsecs[i];
> -       if (!extract_name(header, plen, &p, workspace1, 1, 10))
> -       return 0;
> -@@ -1434,7 +1439,27 @@ static int prove_non_existence_nsec(stru
> -       psave = p;
> -       if (!extract_name(header, plen, &p, workspace2, 1, 10))
> -       return 0;
> --
> -+
> -+      /* If NSEC comes from wildcard expansion, use original wildcard
> -+       as name for computation. */
> -+      sig_labels = *labels[i];
> -+      name_labels = count_labels(workspace1);
> -+
> -+      if (sig_labels < name_labels)
> -+      {
> -+        int k;
> -+        for (k = name_labels - sig_labels; k != 0; k--)
> -+          {
> -+            while (*workspace1 != '.' && *workspace1 != 0)
> -+              workspace1++;
> -+            if (k != 1 && *workspace1 == '.')
> -+              workspace1++;
> -+          }
> -+
> -+        workspace1--;
> -+        *workspace1 = '*';
> -+      }
> -+
> -       rc = hostname_cmp(workspace1, name);
> -
> -       if (rc == 0)
> -@@ -1832,24 +1857,26 @@ static int prove_non_existence_nsec3(str
> -
> - static int prove_non_existence(struct dns_header *header, size_t plen, char *keyname, char *name, int qtype, int qclass, char *wildname, int *nons)
> - {
> --  static unsigned char **nsecset = NULL;
> --  static int nsecset_sz = 0;
> -+  static unsigned char **nsecset = NULL, **rrsig_labels = NULL;
> -+  static int nsecset_sz = 0, rrsig_labels_sz = 0;
> -
> -   int type_found = 0;
> --  unsigned char *p = skip_questions(header, plen);
> -+  unsigned char *auth_start, *p = skip_questions(header, plen);
> -   int type, class, rdlen, i, nsecs_found;
> -
> -   /* Move to NS section */
> -   if (!p || !(p = skip_section(p, ntohs(header->ancount), header, plen)))
> -     return 0;
> -+
> -+  auth_start = p;
> -
> -   for (nsecs_found = 0, i = ntohs(header->nscount); i != 0; i--)
> -     {
> -       unsigned char *pstart = p;
> -
> --      if (!(p = skip_name(p, header, plen, 10)))
> -+      if (!extract_name(header, plen, &p, daemon->workspacename, 1, 10))
> -       return 0;
> --
> -+
> -       GETSHORT(type, p);
> -       GETSHORT(class, p);
> -       p += 4; /* TTL */
> -@@ -1866,7 +1893,69 @@ static int prove_non_existence(struct dn
> -         if (!expand_workspace(&nsecset, &nsecset_sz, nsecs_found))
> -           return 0;
> -
> --        nsecset[nsecs_found++] = pstart;
> -+        if (type == T_NSEC)
> -+          {
> -+            /* If we're looking for NSECs, find the corresponding SIGs, to
> -+               extract the labels value, which we need in case the NSECs
> -+               are the result of wildcard expansion.
> -+               Note that the NSEC may not have been validated yet
> -+               so if there are multiple SIGs, make sure the label value
> -+               is the same in all, to avoid be duped by a rogue one.
> -+               If there are no SIGs, that's an error */
> -+            unsigned char *p1 = auth_start;
> -+            int res, j, rdlen1, type1, class1;
> -+
> -+            if (!expand_workspace(&rrsig_labels, &rrsig_labels_sz, nsecs_found))
> -+              return 0;
> -+
> -+            rrsig_labels[nsecs_found] = NULL;
> -+
> -+            for (j = ntohs(header->nscount); j != 0; j--)
> -+              {
> -+                if (!(res = extract_name(header, plen, &p1, daemon->workspacename, 0, 10)))
> -+                  return 0;
> -+
> -+                 GETSHORT(type1, p1);
> -+                 GETSHORT(class1, p1);
> -+                 p1 += 4; /* TTL */
> -+                 GETSHORT(rdlen1, p1);
> -+
> -+                 if (!CHECK_LEN(header, p1, plen, rdlen1))
> -+                   return 0;
> -+
> -+                 if (res == 1 && class1 == qclass && type1 == T_RRSIG)
> -+                   {
> -+                     int type_covered;
> -+                     unsigned char *psav = p1;
> -+
> -+                     if (rdlen1 < 18)
> -+                       return 0; /* bad packet */
> -+
> -+                     GETSHORT(type_covered, p1);
> -+
> -+                     if (type_covered == T_NSEC)
> -+                       {
> -+                         p1++; /* algo */
> -+
> -+                         /* labels field must be the same in every SIG we find. */
> -+                         if (!rrsig_labels[nsecs_found])
> -+                           rrsig_labels[nsecs_found] = p1;
> -+                         else if (*rrsig_labels[nsecs_found] != *p1) /* algo */
> -+                           return 0;
> -+                         }
> -+                     p1 = psav;
> -+                   }
> -+
> -+                 if (!ADD_RDLEN(header, p1, plen, rdlen1))
> -+                   return 0;
> -+              }
> -+
> -+            /* Must have found at least one sig. */
> -+            if (!rrsig_labels[nsecs_found])
> -+              return 0;
> -+          }
> -+
> -+        nsecset[nsecs_found++] = pstart;
> -       }
> -
> -       if (!ADD_RDLEN(header, p, plen, rdlen))
> -@@ -1874,7 +1963,7 @@ static int prove_non_existence(struct dn
> -     }
> -
> -   if (type_found == T_NSEC)
> --    return prove_non_existence_nsec(header, plen, nsecset, nsecs_found, daemon->workspacename, keyname, name, qtype, nons);
> -+    return prove_non_existence_nsec(header, plen, nsecset, rrsig_labels, nsecs_found, daemon->workspacename, keyname, name, qtype, nons);
> -   else if (type_found == T_NSEC3)
> -     return prove_non_existence_nsec3(header, plen, nsecset, nsecs_found, daemon->workspacename, keyname, name, qtype, wildname, nons);
> -   else
> --
> 2.14.3 (Apple Git-98)
>
>
> _______________________________________________
> Lede-dev mailing list
> Lede-dev at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/lede-dev



More information about the Lede-dev mailing list