summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTom Gundersen <teg@jklm.no>2016-01-01 23:07:34 +0100
committerTom Gundersen <teg@jklm.no>2016-01-03 09:28:48 +0100
commit146035b3bb2e9a60d82c8816de67c83691d6cbc4 (patch)
tree1e9b153b42475f0be4295fdf7d550462840dd83e
parentresolved: dnssec - add reference to the algorithm we implement (diff)
downloadsystemd-146035b3bb2e9a60d82c8816de67c83691d6cbc4.tar.xz
systemd-146035b3bb2e9a60d82c8816de67c83691d6cbc4.zip
resolved: don't conclude NODATA if CNAME exists
Instead introduce the new return-code DNSSEC_NSEC_CNAME to indicate this condition. See RFC 6840, Section 4.3.
-rw-r--r--src/resolve/resolved-dns-dnssec.c16
-rw-r--r--src/resolve/resolved-dns-dnssec.h1
-rw-r--r--src/resolve/resolved-dns-transaction.c1
3 files changed, 16 insertions, 2 deletions
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
index 1ffa98ecb3..98d1c6f353 100644
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@@ -1314,8 +1314,15 @@ found_closest_encloser:
if (!pp) {
/* No next closer NSEC3 RR. That means there's a direct NSEC3 RR for our key. */
- *result = bitmap_isset(enclosure_rr->nsec3.types, key->type) ? DNSSEC_NSEC_FOUND : DNSSEC_NSEC_NODATA;
+ if (bitmap_isset(enclosure_rr->nsec3.types, key->type))
+ *result = DNSSEC_NSEC_FOUND;
+ else if (bitmap_isset(enclosure_rr->nsec3.types, DNS_TYPE_CNAME))
+ *result = DNSSEC_NSEC_CNAME;
+ else
+ *result = DNSSEC_NSEC_NODATA;
+
*authenticated = a;
+
return 0;
}
@@ -1393,7 +1400,12 @@ int dnssec_test_nsec(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *r
if (r < 0)
return r;
if (r > 0) {
- *result = bitmap_isset(rr->nsec.types, key->type) ? DNSSEC_NSEC_FOUND : DNSSEC_NSEC_NODATA;
+ if (bitmap_isset(rr->nsec.types, key->type))
+ *result = DNSSEC_NSEC_FOUND;
+ else if (bitmap_isset(rr->nsec.types, DNS_TYPE_CNAME))
+ *result = DNSSEC_NSEC_CNAME;
+ else
+ *result = DNSSEC_NSEC_NODATA;
*authenticated = flags & DNS_ANSWER_AUTHENTICATED;
return 0;
}
diff --git a/src/resolve/resolved-dns-dnssec.h b/src/resolve/resolved-dns-dnssec.h
index d7aecbce13..57858d0c15 100644
--- a/src/resolve/resolved-dns-dnssec.h
+++ b/src/resolve/resolved-dns-dnssec.h
@@ -91,6 +91,7 @@ int dnssec_nsec3_hash(DnsResourceRecord *nsec3, const char *name, void *ret);
typedef enum DnssecNsecResult {
DNSSEC_NSEC_NO_RR, /* No suitable NSEC/NSEC3 RR found */
+ DNSSEC_NSEC_CNAME, /* Would be NODATA, but for the existence of a CNAME RR */
DNSSEC_NSEC_UNSUPPORTED_ALGORITHM,
DNSSEC_NSEC_NXDOMAIN,
DNSSEC_NSEC_NODATA,
diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
index fb95554db3..993db0dc69 100644
--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
@@ -2300,6 +2300,7 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) {
break;
case DNSSEC_NSEC_FOUND:
+ case DNSSEC_NSEC_CNAME:
/* NSEC says it needs to be there, but we couldn't find it? Bummer! */
t->answer_dnssec_result = DNSSEC_NSEC_MISMATCH;
break;