CVSROOT: /cvs
Module name: src
Changes by: flor...@cvs.openbsd.org 2019/12/10 00:49:01
Modified files:
sbin/unwind : resolver.c
Log message:
Similar to doubting NXDOMAIN when we just switched networks we also
need to doubt validation errors as we might find ourselves behind a
captive portal.
The hotspot at schiphol airport uses login.hotspotschiphol.nl:
- it is NXDOMAIN on the public internet
- hotspotschiphol.nl is signed and attests that login does not exist.
- resolves to 1.1.1.5(!) when asking the dhcp nameservers
- the dhcp nameservers pass DNSSEC records so validation works
This resulted in unwind doing validation and answering SERVFAIL since
the answer is bogus.
Input & OK otto
