diff options
author | Lennart Poettering <lennart@poettering.net> | 2016-01-13 02:45:28 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2016-01-13 20:21:57 +0100 |
commit | e926785a1feff01901e6298261a9f635791d3b17 (patch) | |
tree | b038c3df03d5c6b6fae6db1201310f713a8cacc1 /src/resolve/resolved-dns-transaction.c | |
parent | resolved: refuse validating wildcard RRs for SOA, NSEC3, DNAME (diff) | |
download | systemd-e926785a1feff01901e6298261a9f635791d3b17.tar.xz systemd-e926785a1feff01901e6298261a9f635791d3b17.zip |
resolved: implement the full NSEC and NSEC3 postive wildcard proofs
Diffstat (limited to '')
-rw-r--r-- | src/resolve/resolved-dns-transaction.c | 26 |
1 files changed, 11 insertions, 15 deletions
diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c index 9ee10f21c8..c7d2d82ecf 100644 --- a/src/resolve/resolved-dns-transaction.c +++ b/src/resolve/resolved-dns-transaction.c @@ -2531,28 +2531,24 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) { if (result == DNSSEC_VALIDATED_WILDCARD) { bool authenticated = false; - const char *suffix; + const char *source; - /* This RRset validated, but as a wildcard. This means we need to proof via NSEC/NSEC3 - * that no matching non-wildcard RR exists. - * - * See RFC 5155, Section 8.8 and RFC 4035, Section 5.3.4*/ + /* This RRset validated, but as a wildcard. This means we need to prove via NSEC/NSEC3 + * that no matching non-wildcard RR exists.*/ - r = dns_name_suffix(DNS_RESOURCE_KEY_NAME(rr->key), rrsig->rrsig.labels, &suffix); + /* First step, determine the source of synthesis */ + r = dns_name_suffix(DNS_RESOURCE_KEY_NAME(rr->key), rrsig->rrsig.labels, &source); if (r < 0) return r; if (r == 0) return -EBADMSG; - r = dns_name_parent(&suffix); - if (r < 0) - return r; - if (r == 0) - return -EBADMSG; - - r = dnssec_nsec_test_between(validated, DNS_RESOURCE_KEY_NAME(rr->key), suffix, &authenticated); - if (r < 0) - return r; + r = dnssec_test_positive_wildcard( + validated, + DNS_RESOURCE_KEY_NAME(rr->key), + source, + rrsig->rrsig.signer, + &authenticated); /* Unless the NSEC proof showed that the key really doesn't exist something is off. */ if (r == 0) |