summaryrefslogtreecommitdiffstats
path: root/src/resolve/resolved-dns-transaction.c
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2016-01-13 02:45:28 +0100
committerLennart Poettering <lennart@poettering.net>2016-01-13 20:21:57 +0100
commite926785a1feff01901e6298261a9f635791d3b17 (patch)
treeb038c3df03d5c6b6fae6db1201310f713a8cacc1 /src/resolve/resolved-dns-transaction.c
parentresolved: refuse validating wildcard RRs for SOA, NSEC3, DNAME (diff)
downloadsystemd-e926785a1feff01901e6298261a9f635791d3b17.tar.xz
systemd-e926785a1feff01901e6298261a9f635791d3b17.zip
resolved: implement the full NSEC and NSEC3 postive wildcard proofs
Diffstat (limited to '')
-rw-r--r--src/resolve/resolved-dns-transaction.c26
1 files changed, 11 insertions, 15 deletions
diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
index 9ee10f21c8..c7d2d82ecf 100644
--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
@@ -2531,28 +2531,24 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) {
if (result == DNSSEC_VALIDATED_WILDCARD) {
bool authenticated = false;
- const char *suffix;
+ const char *source;
- /* This RRset validated, but as a wildcard. This means we need to proof via NSEC/NSEC3
- * that no matching non-wildcard RR exists.
- *
- * See RFC 5155, Section 8.8 and RFC 4035, Section 5.3.4*/
+ /* This RRset validated, but as a wildcard. This means we need to prove via NSEC/NSEC3
+ * that no matching non-wildcard RR exists.*/
- r = dns_name_suffix(DNS_RESOURCE_KEY_NAME(rr->key), rrsig->rrsig.labels, &suffix);
+ /* First step, determine the source of synthesis */
+ r = dns_name_suffix(DNS_RESOURCE_KEY_NAME(rr->key), rrsig->rrsig.labels, &source);
if (r < 0)
return r;
if (r == 0)
return -EBADMSG;
- r = dns_name_parent(&suffix);
- if (r < 0)
- return r;
- if (r == 0)
- return -EBADMSG;
-
- r = dnssec_nsec_test_between(validated, DNS_RESOURCE_KEY_NAME(rr->key), suffix, &authenticated);
- if (r < 0)
- return r;
+ r = dnssec_test_positive_wildcard(
+ validated,
+ DNS_RESOURCE_KEY_NAME(rr->key),
+ source,
+ rrsig->rrsig.signer,
+ &authenticated);
/* Unless the NSEC proof showed that the key really doesn't exist something is off. */
if (r == 0)