filterMsg removes OPT RRs, DNSSEC RRs if do is false, sets TTL to ttl if it's not equal to 0 and puts the results to appropriate fields of dst. It also filters the AD bit if both ad and do are false.
(dst, m *dns.Msg, ad, do bool, ttl uint32)
| 642 | // not equal to 0 and puts the results to appropriate fields of dst. It also |
| 643 | // filters the AD bit if both ad and do are false. |
| 644 | func filterMsg(dst, m *dns.Msg, ad, do bool, ttl uint32) { |
| 645 | // As RFC 6840 says, validating resolvers should only set the AD bit when a |
| 646 | // response both meets the conditions listed in RFC 4035, and the request |
| 647 | // contained either a set DO bit or a set AD bit. |
| 648 | dst.AuthenticatedData = dst.AuthenticatedData && (ad || do) |
| 649 | |
| 650 | // It's important to filter out only DNSSEC RRs that aren't explicitly |
| 651 | // requested. |
| 652 | // |
| 653 | // See https://datatracker.ietf.org/doc/html/rfc4035#section-3.2.1 and |
| 654 | // https://github.com/AdguardTeam/dnsproxy/issues/144. |
| 655 | dst.Answer = filterRRSlice(m.Answer, do, ttl, m.Question[0].Qtype) |
| 656 | dst.Ns = filterRRSlice(m.Ns, do, ttl, dns.TypeNone) |
| 657 | dst.Extra = filterRRSlice(m.Extra, do, ttl, dns.TypeNone) |
| 658 | } |
no test coverage detected
searching dependent graphs…