diff options
| author | Ronan Pigott <ronan@rjp.ie> | 2024-05-01 07:15:18 +0200 |
|---|---|---|
| committer | Luca Boccassi <luca.boccassi@gmail.com> | 2024-05-01 20:32:30 +0200 |
| commit | 5237ffdf2b63a5afea77c3470d9981a2c29643cc (patch) | |
| tree | 223dcfc9779d432edf24f243c2183d3de0b0a4a8 /src/resolve/resolved-dns-transaction.c | |
| parent | Merge pull request #32613 from arthurzam/bash-v256 (diff) | |
| download | systemd-5237ffdf2b63a5afea77c3470d9981a2c29643cc.tar.xz systemd-5237ffdf2b63a5afea77c3470d9981a2c29643cc.zip | |
resolved: probe for dnssec support in allow-downgrade mode
Previously, sd-resolved unnecessarily requested SOA records for each dns
label in the query, even though they are not needed for the chain of
trust. Since 47690634f157, only the necessary records are queried when
validating.
This is actually a problem in allow-downgrade mode, since we will no
longer attempt a query for a record that we know is signed a priori, and
will therefore never update our belief about the state of dnssec support
in the recursive resolver.
Rectify this by reintroducing a query for the root zone SOA in the
allow-downgrade case, specifically to test that the resolver attaches
the RRSIGs which we know must exist.
Fixes: 47690634f157 ("resolved: don't request the SOA for every dns label")
Diffstat (limited to 'src/resolve/resolved-dns-transaction.c')
| -rw-r--r-- | src/resolve/resolved-dns-transaction.c | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c index b2817031b5..32b4980715 100644 --- a/src/resolve/resolved-dns-transaction.c +++ b/src/resolve/resolved-dns-transaction.c @@ -2695,6 +2695,21 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) { if (r < 0) return r; + if (t->scope->dnssec_mode == DNSSEC_ALLOW_DOWNGRADE && dns_name_is_root(name)) { + _cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL; + /* We made it all the way to the root zone. If we are in allow-downgrade + * mode, we need to make at least one request that we can be certain should + * have been signed, to test for servers that are not dnssec aware. */ + soa = dns_resource_key_new(rr->key->class, DNS_TYPE_SOA, name); + if (!soa) + return -ENOMEM; + + log_debug("Requesting root zone SOA to probe dnssec support."); + r = dns_transaction_request_dnssec_rr(t, soa); + if (r < 0) + return r; + } + break; } |