On Thu, Feb 15, 2018 at 11:45 AM, Kevin Darbyshire-Bryant <l...@darbyshire-bryant.me.uk> wrote: > 1721453 Remove special handling of A-for-A queries. > 499d8dd Fix boundary for test introduced in > 3e3f1029c9ec6c63e430ff51063a6301d4b2262 > 6f1cbfd Fix debian/readme typo. > 55ecde7 Inotify: Ignore backup files created by editors > 6b54d69 Make failure to chown() pidfile a warning. > 246a31c Change ownership of pid file, to keep systemd happy. > 83e4b73 Remove confusion between --user and --script-user. > 6340ca7 Tweak heuristic for initial DNSSEC memory allocation. > baf553d Default min-port to 1024 to avoid reserved ports. > 486bcd5 Simplify and correct bindtodevice(). > be9a74d Close Debian bug for CVE-2017-15107. > ffcbc0f Example config typo fixes. > a969ba6 Special case NSEC processing for root DS record, to avoid spurious > BOGUS. > f178172 Add homepage to Debian control file. > cd7df61 Fix DNSSEC validation errors introduced in > 4fe6744a220eddd3f1749b40cac3dfc510787de6 > c1a4e25 Try to be a little more clever at falling back to smaller DNS packet > sizes. > 4fe6744 DNSSEC fix for wildcard NSEC records. CVE-2017-15107 applies. > 3bd4c47 Remove limit on length of command-line options. > 98196c4 Typo fix. > 22cd860 Allow more than one --bridge-interface option to refer to an > interface. > 3c973ad Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC time > validation. > faaf306 Spelling fixes. > c7e6aea Change references to gPXE to iPXE. Development of EtherBoot gPXE was > always development of iPXE core developer Michael Brown. > e541245 Handle duplicate RRs in DNSSEC validation. > 84a01be Bump year in Debian copyright notice. > d1ced3a Update copyrights to 2018. > a6cee69 Fix exit code from dhcp_release6. > 0039920 Severely fix code formating of contrib/lease-tools/dhcp_release6.c > 39d8550 Run Debian startup regex in "C" locale. > ef3d137 Fix infinite retries in strict-order mode. > 8c707e1 Make 373e91738929a3d416e6292e65824184ba8428a6 compile without DNSSEC. > 373e917 Fix a6004d7f17687ac2455f724d0b57098c413f128d to cope with >256 RRs in > answer section. > 74f0f9a Commment language tweaks. > ed6bdb0 Man page typos. > c88af04 Modify doc.html to mention git-over-http is now available. > ae0187d Fix trust-anchor regexp in Debian init script. > 0c50e3d Bump version in Debian package. > 075366a Open inotify socket only when used. > 8e8b2d6 Release notes update. > 087eb76 Always return a SERVFAIL response to DNS queries with RD=0. > ebedcba Typo in printf format string added in > 22dee512f3738f87539a79aeb52b9e670b3bd104 > 0954a97 Remove RSA/MD5 DNSSEC algorithm. > b77efc1 Tidy DNSSEC algorithm table use. > 3b0cb34 Fix manpage which said ZSK but meant KSK. > aa6f832 Add a few DNS RRs to the table. > ad9c6f0 Add support for Ed25519 DNSSEC signature algorithm. > a6004d7 Fix caching logic for validated answers. > c366717 Tidy up add_resource_record() buffer size checks. > 22dee51 Log DNS server max packet size reduction. > 6fd5d79 Fix logic on EDNS0 headers. > 9d6918d Use IP[V6]_UNICAST_IF socket option instead of SO_BINDTODEVICE for > DNS. > a49c5c2 Fix search_servers() segfault with DNSSEC. > 30858e3 Spaces in CNAME options break parsing. > > Refresh patches. > Remove upstreamed patches: > 250-Fix-infinite-retries-in-strict-order-mode.patch > 260-dnssec-SIGINT.patch > 270-dnssec-wildcards.patch > > Signed-off-by: Kevin Darbyshire-Bryant <l...@darbyshire-bryant.me.uk> Thanks; patch applied to my staging tree https://git.openwrt.org/?p=openwrt/staging/dedeckeh.git;a=commit;h=cc48ab251ce16da2e8ec4e13a29c0e8732980735
Hans > --- > package/network/services/dnsmasq/Makefile | 8 +- > .../210-dnssec-improve-timestamp-heuristic.patch | 4 +- > .../services/dnsmasq/patches/240-ubus.patch | 6 +- > ...Fix-infinite-retries-in-strict-order-mode.patch | 45 ----- > .../dnsmasq/patches/260-dnssec-SIGINT.patch | 120 ------------ > .../dnsmasq/patches/270-dnssec-wildcards.patch | 202 > --------------------- > 6 files changed, 9 insertions(+), 376 deletions(-) > delete mode 100644 > package/network/services/dnsmasq/patches/250-Fix-infinite-retries-in-strict-order-mode.patch > delete mode 100644 > package/network/services/dnsmasq/patches/260-dnssec-SIGINT.patch > delete mode 100644 > package/network/services/dnsmasq/patches/270-dnssec-wildcards.patch > > diff --git a/package/network/services/dnsmasq/Makefile > b/package/network/services/dnsmasq/Makefile > index 7ba7d56b52..46b68a24a6 100644 > --- a/package/network/services/dnsmasq/Makefile > +++ b/package/network/services/dnsmasq/Makefile > @@ -8,12 +8,12 @@ > include $(TOPDIR)/rules.mk > > PKG_NAME:=dnsmasq > -PKG_VERSION:=2.78 > -PKG_RELEASE:=10 > +PKG_VERSION:=2.79rc1 > +PKG_RELEASE:=1 > > PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz > -PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/ > -PKG_HASH:=89949f438c74b0c7543f06689c319484bd126cc4b1f8c745c742ab397681252b > +PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/release-candidates/ > +PKG_HASH:=57d17a3a6cf34af5dcbc5107c45b05671bda9d250718fe073ca12c5f61099985 > > PKG_LICENSE:=GPL-2.0 > PKG_LICENSE_FILES:=COPYING > diff --git > a/package/network/services/dnsmasq/patches/210-dnssec-improve-timestamp-heuristic.patch > > b/package/network/services/dnsmasq/patches/210-dnssec-improve-timestamp-heuristic.patch > index 2f854d490b..be1195abbd 100644 > --- > a/package/network/services/dnsmasq/patches/210-dnssec-improve-timestamp-heuristic.patch > +++ > b/package/network/services/dnsmasq/patches/210-dnssec-improve-timestamp-heuristic.patch > @@ -10,7 +10,7 @@ Signed-off-by: Steven Barth <ste...@midlink.org> > > --- a/src/dnssec.c > +++ b/src/dnssec.c > -@@ -462,17 +462,24 @@ static time_t timestamp_time; > +@@ -143,17 +143,24 @@ static time_t timestamp_time; > int setup_timestamp(void) > { > struct stat statbuf; > @@ -36,7 +36,7 @@ Signed-off-by: Steven Barth <ste...@midlink.org> > { > /* time already OK, update timestamp, and do key checking from the > start. */ > if (utimes(daemon->timestamp_file, NULL) == -1) > -@@ -493,7 +500,7 @@ int setup_timestamp(void) > +@@ -174,7 +181,7 @@ int setup_timestamp(void) > > close(fd); > > diff --git a/package/network/services/dnsmasq/patches/240-ubus.patch > b/package/network/services/dnsmasq/patches/240-ubus.patch > index d21ca0dbaa..415c7a5e4c 100644 > --- a/package/network/services/dnsmasq/patches/240-ubus.patch > +++ b/package/network/services/dnsmasq/patches/240-ubus.patch > @@ -74,7 +74,7 @@ > int main (int argc, char **argv) > { > int bind_fallback = 0; > -@@ -911,6 +971,7 @@ int main (int argc, char **argv) > +@@ -928,6 +988,7 @@ int main (int argc, char **argv) > set_dbus_listeners(); > #endif > > @@ -82,7 +82,7 @@ > #ifdef HAVE_DHCP > if (daemon->dhcp || daemon->relay4) > { > -@@ -1041,6 +1102,8 @@ int main (int argc, char **argv) > +@@ -1058,6 +1119,8 @@ int main (int argc, char **argv) > check_dbus_listeners(); > #endif > > @@ -104,7 +104,7 @@ > mostly_clean : > --- a/src/dnsmasq.h > +++ b/src/dnsmasq.h > -@@ -1397,6 +1397,8 @@ void emit_dbus_signal(int action, struct > +@@ -1415,6 +1415,8 @@ void emit_dbus_signal(int action, struct > # endif > #endif > > diff --git > a/package/network/services/dnsmasq/patches/250-Fix-infinite-retries-in-strict-order-mode.patch > > b/package/network/services/dnsmasq/patches/250-Fix-infinite-retries-in-strict-order-mode.patch > deleted file mode 100644 > index faff680e03..0000000000 > --- > a/package/network/services/dnsmasq/patches/250-Fix-infinite-retries-in-strict-order-mode.patch > +++ /dev/null > @@ -1,45 +0,0 @@ > -From ef3d137a646fa8309e1ff5184e3e145eef40cc4d Mon Sep 17 00:00:00 2001 > -From: Simon Kelley <si...@thekelleys.org.uk> > -Date: Tue, 5 Dec 2017 22:37:29 +0000 > -Subject: [PATCH] Fix infinite retries in strict-order mode. > - > - If all configured dns servers return refused in > - response to a query; dnsmasq will end up in an infinite loop > - retransmitting the dns query resulting into high CPU load. > - Problem is caused by the dns refuse retransmission logic which does > - not check for the end of a dns server list iteration in strict mode. > - Having one configured dns server returning a refused reply easily > - triggers this problem in strict order mode. This was introduced in > - 9396752c115b3ab733fa476b30da73237e12e7ba > - > - Thanks to Hans Dedecker <dedec...@gmail.com> for spotting this > - and the initial patch. > ---- > - src/forward.c | 14 ++++++++++++-- > - 1 file changed, 12 insertions(+), 2 deletions(-) > - > ---- a/src/forward.c > -+++ b/src/forward.c > -@@ -797,10 +797,20 @@ void reply_query(int fd, int family, tim > - unsigned char *pheader; > - size_t plen; > - int is_sign; > -- > -+ > -+ /* In strict order mode, there must be a server later in the chain > -+ left to send to, otherwise without the forwardall mechanism, > -+ code further on will cycle around the list forwever if they > -+ all return REFUSED. Note that server is always non-NULL before > -+ this executes. */ > -+ if (option_bool(OPT_ORDER)) > -+ for (server = forward->sentto->next; server; server = server->next) > -+ if (!(server->flags & (SERV_LITERAL_ADDRESS | SERV_HAS_DOMAIN | > SERV_FOR_NODOTS | SERV_NO_ADDR | SERV_LOOP))) > -+ break; > -+ > - /* recreate query from reply */ > - pheader = find_pseudoheader(header, (size_t)n, &plen, NULL, &is_sign, > NULL); > -- if (!is_sign) > -+ if (!is_sign && server) > - { > - header->ancount = htons(0); > - header->nscount = htons(0); > diff --git a/package/network/services/dnsmasq/patches/260-dnssec-SIGINT.patch > b/package/network/services/dnsmasq/patches/260-dnssec-SIGINT.patch > deleted file mode 100644 > index e280142f75..0000000000 > --- a/package/network/services/dnsmasq/patches/260-dnssec-SIGINT.patch > +++ /dev/null > @@ -1,120 +0,0 @@ > -From 3c973ad92d317df736d5a8fde67baba6b102d91e Mon Sep 17 00:00:00 2001 > -From: Simon Kelley <si...@thekelleys.org.uk> > -Date: Sun, 14 Jan 2018 21:05:37 +0000 > -Subject: [PATCH] Use SIGINT (instead of overloading SIGHUP) to turn on DNSSEC > - time validation. > - > ---- > - src/dnsmasq.c | 36 +++++++++++++++++++++++++----------- > - src/dnsmasq.h | 1 + > - src/helper.c | 3 ++- > - 5 files changed, 38 insertions(+), 14 deletions(-) > - > ---- a/src/dnsmasq.c > -+++ b/src/dnsmasq.c > -@@ -137,7 +137,8 @@ int main (int argc, char **argv) > - sigaction(SIGTERM, &sigact, NULL); > - sigaction(SIGALRM, &sigact, NULL); > - sigaction(SIGCHLD, &sigact, NULL); > -- > -+ sigaction(SIGINT, &sigact, NULL); > -+ > - /* ignore SIGPIPE */ > - sigact.sa_handler = SIG_IGN; > - sigaction(SIGPIPE, &sigact, NULL); > -@@ -815,7 +816,7 @@ int main (int argc, char **argv) > - > - daemon->dnssec_no_time_check = option_bool(OPT_DNSSEC_TIME); > - if (option_bool(OPT_DNSSEC_TIME) && !daemon->back_to_the_future) > -- my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until > first cache reload")); > -+ my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until > receipt of SIGINT")); > - > - if (rc == 1) > - my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until > system time valid")); > -@@ -1142,7 +1143,7 @@ static void sig_handler(int sig) > - { > - /* ignore anything other than TERM during startup > - and in helper proc. (helper ignore TERM too) */ > -- if (sig == SIGTERM) > -+ if (sig == SIGTERM || sig == SIGINT) > - exit(EC_MISC); > - } > - else if (pid != getpid()) > -@@ -1168,6 +1169,15 @@ static void sig_handler(int sig) > - event = EVENT_DUMP; > - else if (sig == SIGUSR2) > - event = EVENT_REOPEN; > -+ else if (sig == SIGINT) > -+ { > -+ /* Handle SIGINT normally in debug mode, so > -+ ctrl-c continues to operate. */ > -+ if (option_bool(OPT_DEBUG)) > -+ exit(EC_MISC); > -+ else > -+ event = EVENT_TIME; > -+ } > - else > - return; > - > -@@ -1295,14 +1305,7 @@ static void async_event(int pipe, time_t > - { > - case EVENT_RELOAD: > - daemon->soa_sn++; /* Bump zone serial, as it may have changed. */ > -- > --#ifdef HAVE_DNSSEC > -- if (daemon->dnssec_no_time_check && option_bool(OPT_DNSSEC_VALID) && > option_bool(OPT_DNSSEC_TIME)) > -- { > -- my_syslog(LOG_INFO, _("now checking DNSSEC signature > timestamps")); > -- daemon->dnssec_no_time_check = 0; > -- } > --#endif > -+ > - /* fall through */ > - > - case EVENT_INIT: > -@@ -1411,6 +1414,17 @@ static void async_event(int pipe, time_t > - poll_resolv(0, 1, now); > - break; > - > -+ case EVENT_TIME: > -+#ifdef HAVE_DNSSEC > -+ if (daemon->dnssec_no_time_check && option_bool(OPT_DNSSEC_VALID) && > option_bool(OPT_DNSSEC_TIME)) > -+ { > -+ my_syslog(LOG_INFO, _("now checking DNSSEC signature > timestamps")); > -+ daemon->dnssec_no_time_check = 0; > -+ clear_cache_and_reload(now); > -+ } > -+#endif > -+ break; > -+ > - case EVENT_TERM: > - /* Knock all our children on the head. */ > - for (i = 0; i < MAX_PROCS; i++) > ---- a/src/dnsmasq.h > -+++ b/src/dnsmasq.h > -@@ -175,6 +175,7 @@ struct event_desc { > - #define EVENT_NEWROUTE 23 > - #define EVENT_TIME_ERR 24 > - #define EVENT_SCRIPT_LOG 25 > -+#define EVENT_TIME 26 > - > - /* Exit codes. */ > - #define EC_GOOD 0 > ---- a/src/helper.c > -+++ b/src/helper.c > -@@ -97,13 +97,14 @@ int create_helper(int event_fd, int err_ > - return pipefd[1]; > - } > - > -- /* ignore SIGTERM, so that we can clean up when the main process gets hit > -+ /* ignore SIGTERM and SIGINT, so that we can clean up when the main > process gets hit > - and SIGALRM so that we can use sleep() */ > - sigact.sa_handler = SIG_IGN; > - sigact.sa_flags = 0; > - sigemptyset(&sigact.sa_mask); > - sigaction(SIGTERM, &sigact, NULL); > - sigaction(SIGALRM, &sigact, NULL); > -+ sigaction(SIGINT, &sigact, NULL); > - > - if (!option_bool(OPT_DEBUG) && uid != 0) > - { > diff --git > a/package/network/services/dnsmasq/patches/270-dnssec-wildcards.patch > b/package/network/services/dnsmasq/patches/270-dnssec-wildcards.patch > deleted file mode 100644 > index d13ac2cbad..0000000000 > --- a/package/network/services/dnsmasq/patches/270-dnssec-wildcards.patch > +++ /dev/null > @@ -1,202 +0,0 @@ > -From 4fe6744a220eddd3f1749b40cac3dfc510787de6 Mon Sep 17 00:00:00 2001 > -From: Simon Kelley <si...@thekelleys.org.uk> > -Date: Fri, 19 Jan 2018 12:26:08 +0000 > -Subject: [PATCH] DNSSEC fix for wildcard NSEC records. CVE-2017-15107 > - applies. > - > -It's OK for NSEC records to be expanded from wildcards, > -but in that case, the proof of non-existence is only valid > -starting at the wildcard name, *.<domain> NOT the name expanded > -from the wildcard. Without this check it's possible for an > -attacker to craft an NSEC which wrongly proves non-existence > -in a domain which includes a wildcard for NSEC. > ---- > - src/dnssec.c | 117 > +++++++++++++++++++++++++++++++++++++++++++++++++++------- > - 2 files changed, 114 insertions(+), 15 deletions(-) > - > ---- a/src/dnssec.c > -+++ b/src/dnssec.c > -@@ -424,15 +424,17 @@ static void from_wire(char *name) > - static int count_labels(char *name) > - { > - int i; > -- > -+ char *p; > -+ > - if (*name == 0) > - return 0; > - > -- for (i = 0; *name; name++) > -- if (*name == '.') > -+ for (p = name, i = 0; *p; p++) > -+ if (*p == '.') > - i++; > - > -- return i+1; > -+ /* Don't count empty first label. */ > -+ return *name == '.' ? i : i+1; > - } > - > - /* Implement RFC1982 wrapped compare for 32-bit numbers */ > -@@ -1412,8 +1414,8 @@ static int hostname_cmp(const char *a, c > - } > - } > - > --static int prove_non_existence_nsec(struct dns_header *header, size_t plen, > unsigned char **nsecs, int nsec_count, > -- char *workspace1, char *workspace2, char > *name, int type, int *nons) > -+static int prove_non_existence_nsec(struct dns_header *header, size_t plen, > unsigned char **nsecs, unsigned char **labels, int nsec_count, > -+ char *workspace1_in, char *workspace2, > char *name, int type, int *nons) > - { > - int i, rc, rdlen; > - unsigned char *p, *psave; > -@@ -1426,6 +1428,9 @@ static int prove_non_existence_nsec(stru > - /* Find NSEC record that proves name doesn't exist */ > - for (i = 0; i < nsec_count; i++) > - { > -+ char *workspace1 = workspace1_in; > -+ int sig_labels, name_labels; > -+ > - p = nsecs[i]; > - if (!extract_name(header, plen, &p, workspace1, 1, 10)) > - return 0; > -@@ -1434,7 +1439,27 @@ static int prove_non_existence_nsec(stru > - psave = p; > - if (!extract_name(header, plen, &p, workspace2, 1, 10)) > - return 0; > -- > -+ > -+ /* If NSEC comes from wildcard expansion, use original wildcard > -+ as name for computation. */ > -+ sig_labels = *labels[i]; > -+ name_labels = count_labels(workspace1); > -+ > -+ if (sig_labels < name_labels) > -+ { > -+ int k; > -+ for (k = name_labels - sig_labels; k != 0; k--) > -+ { > -+ while (*workspace1 != '.' && *workspace1 != 0) > -+ workspace1++; > -+ if (k != 1 && *workspace1 == '.') > -+ workspace1++; > -+ } > -+ > -+ workspace1--; > -+ *workspace1 = '*'; > -+ } > -+ > - rc = hostname_cmp(workspace1, name); > - > - if (rc == 0) > -@@ -1832,24 +1857,26 @@ static int prove_non_existence_nsec3(str > - > - static int prove_non_existence(struct dns_header *header, size_t plen, char > *keyname, char *name, int qtype, int qclass, char *wildname, int *nons) > - { > -- static unsigned char **nsecset = NULL; > -- static int nsecset_sz = 0; > -+ static unsigned char **nsecset = NULL, **rrsig_labels = NULL; > -+ static int nsecset_sz = 0, rrsig_labels_sz = 0; > - > - int type_found = 0; > -- unsigned char *p = skip_questions(header, plen); > -+ unsigned char *auth_start, *p = skip_questions(header, plen); > - int type, class, rdlen, i, nsecs_found; > - > - /* Move to NS section */ > - if (!p || !(p = skip_section(p, ntohs(header->ancount), header, plen))) > - return 0; > -+ > -+ auth_start = p; > - > - for (nsecs_found = 0, i = ntohs(header->nscount); i != 0; i--) > - { > - unsigned char *pstart = p; > - > -- if (!(p = skip_name(p, header, plen, 10))) > -+ if (!extract_name(header, plen, &p, daemon->workspacename, 1, 10)) > - return 0; > -- > -+ > - GETSHORT(type, p); > - GETSHORT(class, p); > - p += 4; /* TTL */ > -@@ -1866,7 +1893,69 @@ static int prove_non_existence(struct dn > - if (!expand_workspace(&nsecset, &nsecset_sz, nsecs_found)) > - return 0; > - > -- nsecset[nsecs_found++] = pstart; > -+ if (type == T_NSEC) > -+ { > -+ /* If we're looking for NSECs, find the corresponding SIGs, to > -+ extract the labels value, which we need in case the NSECs > -+ are the result of wildcard expansion. > -+ Note that the NSEC may not have been validated yet > -+ so if there are multiple SIGs, make sure the label value > -+ is the same in all, to avoid be duped by a rogue one. > -+ If there are no SIGs, that's an error */ > -+ unsigned char *p1 = auth_start; > -+ int res, j, rdlen1, type1, class1; > -+ > -+ if (!expand_workspace(&rrsig_labels, &rrsig_labels_sz, > nsecs_found)) > -+ return 0; > -+ > -+ rrsig_labels[nsecs_found] = NULL; > -+ > -+ for (j = ntohs(header->nscount); j != 0; j--) > -+ { > -+ if (!(res = extract_name(header, plen, &p1, > daemon->workspacename, 0, 10))) > -+ return 0; > -+ > -+ GETSHORT(type1, p1); > -+ GETSHORT(class1, p1); > -+ p1 += 4; /* TTL */ > -+ GETSHORT(rdlen1, p1); > -+ > -+ if (!CHECK_LEN(header, p1, plen, rdlen1)) > -+ return 0; > -+ > -+ if (res == 1 && class1 == qclass && type1 == T_RRSIG) > -+ { > -+ int type_covered; > -+ unsigned char *psav = p1; > -+ > -+ if (rdlen1 < 18) > -+ return 0; /* bad packet */ > -+ > -+ GETSHORT(type_covered, p1); > -+ > -+ if (type_covered == T_NSEC) > -+ { > -+ p1++; /* algo */ > -+ > -+ /* labels field must be the same in every SIG we > find. */ > -+ if (!rrsig_labels[nsecs_found]) > -+ rrsig_labels[nsecs_found] = p1; > -+ else if (*rrsig_labels[nsecs_found] != *p1) /* > algo */ > -+ return 0; > -+ } > -+ p1 = psav; > -+ } > -+ > -+ if (!ADD_RDLEN(header, p1, plen, rdlen1)) > -+ return 0; > -+ } > -+ > -+ /* Must have found at least one sig. */ > -+ if (!rrsig_labels[nsecs_found]) > -+ return 0; > -+ } > -+ > -+ nsecset[nsecs_found++] = pstart; > - } > - > - if (!ADD_RDLEN(header, p, plen, rdlen)) > -@@ -1874,7 +1963,7 @@ static int prove_non_existence(struct dn > - } > - > - if (type_found == T_NSEC) > -- return prove_non_existence_nsec(header, plen, nsecset, nsecs_found, > daemon->workspacename, keyname, name, qtype, nons); > -+ return prove_non_existence_nsec(header, plen, nsecset, rrsig_labels, > nsecs_found, daemon->workspacename, keyname, name, qtype, nons); > - else if (type_found == T_NSEC3) > - return prove_non_existence_nsec3(header, plen, nsecset, nsecs_found, > daemon->workspacename, keyname, name, qtype, wildname, nons); > - else > -- > 2.14.3 (Apple Git-98) > > > _______________________________________________ > Lede-dev mailing list > Lede-dev@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/lede-dev _______________________________________________ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
