diff options
author | Tom Gundersen <teg@jklm.no> | 2016-01-01 23:07:34 +0100 |
---|---|---|
committer | Tom Gundersen <teg@jklm.no> | 2016-01-03 09:28:48 +0100 |
commit | 146035b3bb2e9a60d82c8816de67c83691d6cbc4 (patch) | |
tree | 1e9b153b42475f0be4295fdf7d550462840dd83e | |
parent | resolved: dnssec - add reference to the algorithm we implement (diff) | |
download | systemd-146035b3bb2e9a60d82c8816de67c83691d6cbc4.tar.xz systemd-146035b3bb2e9a60d82c8816de67c83691d6cbc4.zip |
resolved: don't conclude NODATA if CNAME exists
Instead introduce the new return-code DNSSEC_NSEC_CNAME to indicate
this condition. See RFC 6840, Section 4.3.
-rw-r--r-- | src/resolve/resolved-dns-dnssec.c | 16 | ||||
-rw-r--r-- | src/resolve/resolved-dns-dnssec.h | 1 | ||||
-rw-r--r-- | src/resolve/resolved-dns-transaction.c | 1 |
3 files changed, 16 insertions, 2 deletions
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c index 1ffa98ecb3..98d1c6f353 100644 --- a/src/resolve/resolved-dns-dnssec.c +++ b/src/resolve/resolved-dns-dnssec.c @@ -1314,8 +1314,15 @@ found_closest_encloser: if (!pp) { /* No next closer NSEC3 RR. That means there's a direct NSEC3 RR for our key. */ - *result = bitmap_isset(enclosure_rr->nsec3.types, key->type) ? DNSSEC_NSEC_FOUND : DNSSEC_NSEC_NODATA; + if (bitmap_isset(enclosure_rr->nsec3.types, key->type)) + *result = DNSSEC_NSEC_FOUND; + else if (bitmap_isset(enclosure_rr->nsec3.types, DNS_TYPE_CNAME)) + *result = DNSSEC_NSEC_CNAME; + else + *result = DNSSEC_NSEC_NODATA; + *authenticated = a; + return 0; } @@ -1393,7 +1400,12 @@ int dnssec_test_nsec(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *r if (r < 0) return r; if (r > 0) { - *result = bitmap_isset(rr->nsec.types, key->type) ? DNSSEC_NSEC_FOUND : DNSSEC_NSEC_NODATA; + if (bitmap_isset(rr->nsec.types, key->type)) + *result = DNSSEC_NSEC_FOUND; + else if (bitmap_isset(rr->nsec.types, DNS_TYPE_CNAME)) + *result = DNSSEC_NSEC_CNAME; + else + *result = DNSSEC_NSEC_NODATA; *authenticated = flags & DNS_ANSWER_AUTHENTICATED; return 0; } diff --git a/src/resolve/resolved-dns-dnssec.h b/src/resolve/resolved-dns-dnssec.h index d7aecbce13..57858d0c15 100644 --- a/src/resolve/resolved-dns-dnssec.h +++ b/src/resolve/resolved-dns-dnssec.h @@ -91,6 +91,7 @@ int dnssec_nsec3_hash(DnsResourceRecord *nsec3, const char *name, void *ret); typedef enum DnssecNsecResult { DNSSEC_NSEC_NO_RR, /* No suitable NSEC/NSEC3 RR found */ + DNSSEC_NSEC_CNAME, /* Would be NODATA, but for the existence of a CNAME RR */ DNSSEC_NSEC_UNSUPPORTED_ALGORITHM, DNSSEC_NSEC_NXDOMAIN, DNSSEC_NSEC_NODATA, diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c index fb95554db3..993db0dc69 100644 --- a/src/resolve/resolved-dns-transaction.c +++ b/src/resolve/resolved-dns-transaction.c @@ -2300,6 +2300,7 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) { break; case DNSSEC_NSEC_FOUND: + case DNSSEC_NSEC_CNAME: /* NSEC says it needs to be there, but we couldn't find it? Bummer! */ t->answer_dnssec_result = DNSSEC_NSEC_MISMATCH; break; |