- harden-below-nxdomain: changed so that it activates when the

cached nxdomain is dnssec secure.  This avoids backwards
         incompatibility because those old servers do not have dnssec.


git-svn-id: file:///svn/unbound/trunk@2407 be551aaa-1e26-0410-a405-d3ace91eadb9

doc/Changelog

@@ -1,3 +1,8 @@
+29 March 2011: Wouter
+	- harden-below-nxdomain: changed so that it activates when the
+	  cached nxdomain is dnssec secure.  This avoids backwards
+	  incompatibility because those old servers do not have dnssec.
+
 24 March 2011: Wouter
 	- iana portlist updated.
 	- release 1.4.9.

doc/unbound.conf.5.in

@@ -471,7 +471,9 @@ From draft-vixie-dnsext-resimprove, returns nxdomain to queries for a name
 below another name that is already known to be nxdomain.  DNSSEC mandates
 noerror for empty nonterminals, hence this is possible.  Very old software
 might return nxdomain for empty nonterminals (that usually happen for reverse
-IP address lookups), and thus may be incompatible with this.  Default is off.
+IP address lookups), and thus may be incompatible with this.  To try to avoid
+this only DNSSEC-secure nxdomains are used, because the old software does not
+have DNSSEC.  Default is off.
 .TP
 .B harden\-referral\-path: \fI<yes or no>
 Harden the referral path by performing additional queries for

services/cache/dns.c

@@ -685,7 +685,7 @@ dns_cache_lookup(struct module_env* env,
 			struct reply_info* data = (struct reply_info*)e->data;
 			struct dns_msg* msg;
 			if(FLAGS_GET_RCODE(data->flags) == LDNS_RCODE_NXDOMAIN
-			  && data->security != sec_status_bogus
+			  && data->security == sec_status_secure
 			  && (msg=tomsg(env, &k, data, region, now, scratch))){
 				lock_rw_unlock(&e->lock);
 				msg->qinfo.qname=qname;