Explicitly set INSECURE status for replies received either from upstream (if they are not already validated as SECURE) or from cache. This is a direct consequence from the previous commit.

Signed-off-by: DL6ER <dl6er@dl6er.de>
2023-04-09 12:31:10 +02:00 · 2023-04-09 12:31:10 +02:00 · f216cb0b78
parent b22524e54c
commit f216cb0b78
1 changed files with 10 additions and 0 deletions
--- a/src/dnsmasq_interface.c
+++ b/src/dnsmasq_interface.c
@ -2105,6 +2105,10 @@ static void FTL_reply(const unsigned int flags, const char *name, const union al
 		// Save reply type and update individual reply counters
 		query_set_reply(flags, 0, addr, query, response);

+		// Set DNSSEC status to INSECURE if it is still unknown
+		if(query->dnssec == DNSSEC_UNSPECIFIED)
+			query_set_dnssec(query, DNSSEC_INSECURE);
+
 		// Hereby, this query is now fully determined
 		query->flags.complete = true;
 	}
@ -2144,6 +2148,12 @@ static void FTL_reply(const unsigned int flags, const char *name, const union al
 				reply_flags = F_NEG;
 			}
 		}
+		else
+		{
+			// Set DNSSEC status to INSECURE if it is still unknown
+			if(query->dnssec == DNSSEC_UNSPECIFIED)
+				query_set_dnssec(query, DNSSEC_INSECURE);
+		}

 		// Save reply type and update individual reply counters
 		query_set_reply(reply_flags, 0, addr, query, response);