summaryrefslogtreecommitdiffstats
path: root/src/resolve
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2020-11-04 22:59:44 +0100
committerLennart Poettering <lennart@poettering.net>2021-02-09 17:52:59 +0100
commit04617bf83f12c9dd0b6b454455d3576f2ce293a2 (patch)
tree49b69458fa2f1e668c228b6546d6a66ae41c640f /src/resolve
parentresolved: add new DnsAnswerFlags indicating originating section when parsing (diff)
downloadsystemd-04617bf83f12c9dd0b6b454455d3576f2ce293a2.tar.xz
systemd-04617bf83f12c9dd0b6b454455d3576f2ce293a2.zip
resolved: add RRSIG field to DnsAnswerItem
Diffstat (limited to 'src/resolve')
-rw-r--r--src/resolve/resolved-dns-answer.c77
-rw-r--r--src/resolve/resolved-dns-answer.h9
-rw-r--r--src/resolve/resolved-dns-cache.c2
-rw-r--r--src/resolve/resolved-dns-packet.c2
-rw-r--r--src/resolve/resolved-dns-scope.c4
-rw-r--r--src/resolve/resolved-dns-synthesize.c10
-rw-r--r--src/resolve/resolved-dns-transaction.c51
-rw-r--r--src/resolve/resolved-dns-trust-anchor.c4
-rw-r--r--src/resolve/resolved-dns-zone.c2
-rw-r--r--src/resolve/resolved-etc-hosts.c4
-rw-r--r--src/resolve/test-dnssec.c16
11 files changed, 122 insertions, 59 deletions
diff --git a/src/resolve/resolved-dns-answer.c b/src/resolve/resolved-dns-answer.c
index 8138fe595b..051a2a0f25 100644
--- a/src/resolve/resolved-dns-answer.c
+++ b/src/resolve/resolved-dns-answer.c
@@ -66,8 +66,10 @@ static void dns_answer_flush(DnsAnswer *a) {
a->set_items = set_free(a->set_items);
- DNS_ANSWER_FOREACH_ITEM(item, a)
+ DNS_ANSWER_FOREACH_ITEM(item, a) {
dns_resource_record_unref(item->rr);
+ dns_resource_record_unref(item->rrsig);
+ }
a->n_rrs = 0;
}
@@ -81,7 +83,13 @@ static DnsAnswer *dns_answer_free(DnsAnswer *a) {
DEFINE_TRIVIAL_REF_UNREF_FUNC(DnsAnswer, dns_answer, dns_answer_free);
-static int dns_answer_add_raw(DnsAnswer *a, DnsResourceRecord *rr, int ifindex, DnsAnswerFlags flags) {
+static int dns_answer_add_raw(
+ DnsAnswer *a,
+ DnsResourceRecord *rr,
+ int ifindex,
+ DnsAnswerFlags flags,
+ DnsResourceRecord *rrsig) {
+
int r;
assert(rr);
@@ -96,6 +104,7 @@ static int dns_answer_add_raw(DnsAnswer *a, DnsResourceRecord *rr, int ifindex,
.rr = rr,
.ifindex = ifindex,
.flags = flags,
+ .rrsig = dns_resource_record_ref(rrsig),
};
r = set_put(a->set_items, &a->items[a->n_rrs]);
@@ -119,7 +128,8 @@ static int dns_answer_add_raw_all(DnsAnswer *a, DnsAnswer *source) {
a,
item->rr,
item->ifindex,
- item->flags);
+ item->flags,
+ item->rrsig);
if (r < 0)
return r;
}
@@ -127,7 +137,13 @@ static int dns_answer_add_raw_all(DnsAnswer *a, DnsAnswer *source) {
return 0;
}
-int dns_answer_add(DnsAnswer *a, DnsResourceRecord *rr, int ifindex, DnsAnswerFlags flags) {
+int dns_answer_add(
+ DnsAnswer *a,
+ DnsResourceRecord *rr,
+ int ifindex,
+ DnsAnswerFlags flags,
+ DnsResourceRecord *rrsig) {
+
DnsAnswerItem tmp, *exist;
assert(rr);
@@ -154,13 +170,20 @@ int dns_answer_add(DnsAnswer *a, DnsResourceRecord *rr, int ifindex, DnsAnswerFl
if (rr->ttl > exist->rr->ttl) {
dns_resource_record_unref(exist->rr);
exist->rr = dns_resource_record_ref(rr);
+
+ /* Update RRSIG and RR at the same time */
+ if (rrsig) {
+ dns_resource_record_ref(rrsig);
+ dns_resource_record_unref(exist->rrsig);
+ exist->rrsig = rrsig;
+ }
}
exist->flags |= flags;
return 0;
}
- return dns_answer_add_raw(a, rr, ifindex, flags);
+ return dns_answer_add_raw(a, rr, ifindex, flags, rrsig);
}
static int dns_answer_add_all(DnsAnswer *a, DnsAnswer *b) {
@@ -168,7 +191,7 @@ static int dns_answer_add_all(DnsAnswer *a, DnsAnswer *b) {
int r;
DNS_ANSWER_FOREACH_ITEM(item, b) {
- r = dns_answer_add(a, item->rr, item->ifindex, item->flags);
+ r = dns_answer_add(a, item->rr, item->ifindex, item->flags, item->rrsig);
if (r < 0)
return r;
}
@@ -176,7 +199,13 @@ static int dns_answer_add_all(DnsAnswer *a, DnsAnswer *b) {
return 0;
}
-int dns_answer_add_extend(DnsAnswer **a, DnsResourceRecord *rr, int ifindex, DnsAnswerFlags flags) {
+int dns_answer_add_extend(
+ DnsAnswer **a,
+ DnsResourceRecord *rr,
+ int ifindex,
+ DnsAnswerFlags flags,
+ DnsResourceRecord *rrsig) {
+
int r;
assert(a);
@@ -186,7 +215,7 @@ int dns_answer_add_extend(DnsAnswer **a, DnsResourceRecord *rr, int ifindex, Dns
if (r < 0)
return r;
- return dns_answer_add(*a, rr, ifindex, flags);
+ return dns_answer_add(*a, rr, ifindex, flags, rrsig);
}
int dns_answer_add_soa(DnsAnswer *a, const char *name, uint32_t ttl, int ifindex) {
@@ -212,7 +241,7 @@ int dns_answer_add_soa(DnsAnswer *a, const char *name, uint32_t ttl, int ifindex
soa->soa.expire = 1;
soa->soa.minimum = ttl;
- return dns_answer_add(a, soa, ifindex, DNS_ANSWER_AUTHENTICATED);
+ return dns_answer_add(a, soa, ifindex, DNS_ANSWER_AUTHENTICATED, NULL);
}
int dns_answer_match_key(DnsAnswer *a, const DnsResourceKey *key, DnsAnswerFlags *ret_flags) {
@@ -486,7 +515,7 @@ int dns_answer_remove_by_key(DnsAnswer **a, const DnsResourceKey *key) {
if (r > 0)
continue;
- r = dns_answer_add_raw(copy, item->rr, item->ifindex, item->flags);
+ r = dns_answer_add_raw(copy, item->rr, item->ifindex, item->flags, item->rrsig);
if (r < 0)
return r;
}
@@ -511,6 +540,8 @@ int dns_answer_remove_by_key(DnsAnswer **a, const DnsResourceKey *key) {
/* Kill this entry */
dns_resource_record_unref((*a)->items[i].rr);
+ dns_resource_record_unref((*a)->items[i].rrsig);
+
memmove((*a)->items + i, (*a)->items + i + 1, sizeof(DnsAnswerItem) * ((*a)->n_rrs - i - 1));
(*a)->n_rrs--;
continue;
@@ -570,7 +601,7 @@ int dns_answer_remove_by_rr(DnsAnswer **a, DnsResourceRecord *rm) {
if (r > 0)
continue;
- r = dns_answer_add_raw(copy, item->rr, item->ifindex, item->flags);
+ r = dns_answer_add_raw(copy, item->rr, item->ifindex, item->flags, item->rrsig);
if (r < 0)
return r;
}
@@ -595,6 +626,7 @@ int dns_answer_remove_by_rr(DnsAnswer **a, DnsResourceRecord *rm) {
/* Kill this entry */
dns_resource_record_unref((*a)->items[i].rr);
+ dns_resource_record_unref((*a)->items[i].rrsig);
memmove((*a)->items + i, (*a)->items + i + 1, sizeof(DnsAnswerItem) * ((*a)->n_rrs - i - 1));
(*a)->n_rrs--;
continue;
@@ -607,7 +639,13 @@ int dns_answer_remove_by_rr(DnsAnswer **a, DnsResourceRecord *rm) {
return 1;
}
-int dns_answer_copy_by_key(DnsAnswer **a, DnsAnswer *source, const DnsResourceKey *key, DnsAnswerFlags or_flags) {
+int dns_answer_copy_by_key(
+ DnsAnswer **a,
+ DnsAnswer *source,
+ const DnsResourceKey *key,
+ DnsAnswerFlags or_flags,
+ DnsResourceRecord *rrsig) {
+
DnsAnswerItem *item;
int r;
@@ -629,7 +667,7 @@ int dns_answer_copy_by_key(DnsAnswer **a, DnsAnswer *source, const DnsResourceKe
if (r < 0)
return r;
- r = dns_answer_add(*a, item->rr, item->ifindex, item->flags|or_flags);
+ r = dns_answer_add(*a, item->rr, item->ifindex, item->flags|or_flags, item->rrsig);
if (r < 0)
return r;
}
@@ -637,14 +675,19 @@ int dns_answer_copy_by_key(DnsAnswer **a, DnsAnswer *source, const DnsResourceKe
return 0;
}
-int dns_answer_move_by_key(DnsAnswer **to, DnsAnswer **from, const DnsResourceKey *key, DnsAnswerFlags or_flags) {
+int dns_answer_move_by_key(
+ DnsAnswer **to,
+ DnsAnswer **from,
+ const DnsResourceKey *key,
+ DnsAnswerFlags or_flags,
+ DnsResourceRecord *rrsig) {
int r;
assert(to);
assert(from);
assert(key);
- r = dns_answer_copy_by_key(to, *from, key, or_flags);
+ r = dns_answer_copy_by_key(to, *from, key, or_flags, rrsig);
if (r < 0)
return r;
@@ -792,11 +835,13 @@ void dns_answer_dump(DnsAnswer *answer, FILE *f) {
fputs(t, f);
- if (item->ifindex != 0 || item->flags != 0)
+ if (item->ifindex != 0 || item->rrsig || item->flags != 0)
fputs("\t;", f);
if (item->ifindex != 0)
fprintf(f, " ifindex=%i", item->ifindex);
+ if (item->rrsig)
+ fputs(" rrsig", f);
if (item->flags & DNS_ANSWER_AUTHENTICATED)
fputs(" authenticated", f);
if (item->flags & DNS_ANSWER_CACHEABLE)
diff --git a/src/resolve/resolved-dns-answer.h b/src/resolve/resolved-dns-answer.h
index 924fe4504a..cc2cd93a33 100644
--- a/src/resolve/resolved-dns-answer.h
+++ b/src/resolve/resolved-dns-answer.h
@@ -26,6 +26,7 @@ typedef enum DnsAnswerFlags {
struct DnsAnswerItem {
DnsResourceRecord *rr;
+ DnsResourceRecord *rrsig; /* Optionally, also store RRSIG RR that successfully validates this item */
int ifindex;
DnsAnswerFlags flags;
};
@@ -41,8 +42,8 @@ DnsAnswer *dns_answer_new(size_t n);
DnsAnswer *dns_answer_ref(DnsAnswer *a);
DnsAnswer *dns_answer_unref(DnsAnswer *a);
-int dns_answer_add(DnsAnswer *a, DnsResourceRecord *rr, int ifindex, DnsAnswerFlags flags);
-int dns_answer_add_extend(DnsAnswer **a, DnsResourceRecord *rr, int ifindex, DnsAnswerFlags flags);
+int dns_answer_add(DnsAnswer *a, DnsResourceRecord *rr, int ifindex, DnsAnswerFlags flags, DnsResourceRecord *rrsig);
+int dns_answer_add_extend(DnsAnswer **a, DnsResourceRecord *rr, int ifindex, DnsAnswerFlags flags, DnsResourceRecord *rrsig);
int dns_answer_add_soa(DnsAnswer *a, const char *name, uint32_t ttl, int ifindex);
int dns_answer_match_key(DnsAnswer *a, const DnsResourceKey *key, DnsAnswerFlags *combined_flags);
@@ -64,8 +65,8 @@ int dns_answer_reserve_or_clone(DnsAnswer **a, size_t n_free);
int dns_answer_remove_by_key(DnsAnswer **a, const DnsResourceKey *key);
int dns_answer_remove_by_rr(DnsAnswer **a, DnsResourceRecord *rr);
-int dns_answer_copy_by_key(DnsAnswer **a, DnsAnswer *source, const DnsResourceKey *key, DnsAnswerFlags or_flags);
-int dns_answer_move_by_key(DnsAnswer **to, DnsAnswer **from, const DnsResourceKey *key, DnsAnswerFlags or_flags);
+int dns_answer_copy_by_key(DnsAnswer **a, DnsAnswer *source, const DnsResourceKey *key, DnsAnswerFlags or_flags, DnsResourceRecord *rrsig);
+int dns_answer_move_by_key(DnsAnswer **to, DnsAnswer **from, const DnsResourceKey *key, DnsAnswerFlags or_flags, DnsResourceRecord *rrsig);
int dns_answer_has_dname_for_cname(DnsAnswer *a, DnsResourceRecord *cname);
diff --git a/src/resolve/resolved-dns-cache.c b/src/resolve/resolved-dns-cache.c
index 6cdf010309..925d5a3af2 100644
--- a/src/resolve/resolved-dns-cache.c
+++ b/src/resolve/resolved-dns-cache.c
@@ -968,7 +968,7 @@ int dns_cache_lookup(DnsCache *c, DnsResourceKey *key, bool clamp_ttl, int *rcod
return r;
}
- r = dns_answer_add(answer, rr ?: j->rr, j->ifindex, j->authenticated ? DNS_ANSWER_AUTHENTICATED : 0);
+ r = dns_answer_add(answer, rr ?: j->rr, j->ifindex, j->authenticated ? DNS_ANSWER_AUTHENTICATED : 0, NULL);
if (r < 0)
return r;
}
diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c
index 3be96e8494..b75b77760a 100644
--- a/src/resolve/resolved-dns-packet.c
+++ b/src/resolve/resolved-dns-packet.c
@@ -2337,7 +2337,7 @@ static int dns_packet_extract_answer(DnsPacket *p, DnsAnswer **ret_answer) {
else
flags |= DNS_ANSWER_SECTION_ADDITIONAL;
- r = dns_answer_add(answer, rr, p->ifindex, flags);
+ r = dns_answer_add(answer, rr, p->ifindex, flags, NULL);
if (r < 0)
return r;
}
diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c
index d77e81ae39..7db906b0ad 100644
--- a/src/resolve/resolved-dns-scope.c
+++ b/src/resolve/resolved-dns-scope.c
@@ -1289,7 +1289,7 @@ int dns_scope_announce(DnsScope *scope, bool goodbye) {
else
flags = goodbye ? (DNS_ANSWER_GOODBYE|DNS_ANSWER_CACHE_FLUSH) : DNS_ANSWER_CACHE_FLUSH;
- r = dns_answer_add(answer, i->rr, 0 , flags);
+ r = dns_answer_add(answer, i->rr, 0, flags, NULL);
if (r < 0)
return log_debug_errno(r, "Failed to add RR to announce: %m");
}
@@ -1307,7 +1307,7 @@ int dns_scope_announce(DnsScope *scope, bool goodbye) {
if (r < 0)
log_warning_errno(r, "Failed to add DNS-SD PTR record to MDNS zone: %m");
- r = dns_answer_add(answer, rr, 0 , 0);
+ r = dns_answer_add(answer, rr, 0, 0, NULL);
if (r < 0)
return log_debug_errno(r, "Failed to add RR to announce: %m");
}
diff --git a/src/resolve/resolved-dns-synthesize.c b/src/resolve/resolved-dns-synthesize.c
index f08d62116a..23c9ba14a9 100644
--- a/src/resolve/resolved-dns-synthesize.c
+++ b/src/resolve/resolved-dns-synthesize.c
@@ -76,7 +76,7 @@ static int synthesize_localhost_rr(Manager *m, const DnsResourceKey *key, int if
rr->a.in_addr.s_addr = htobe32(INADDR_LOOPBACK);
- r = dns_answer_add(*answer, rr, dns_synthesize_ifindex(ifindex), DNS_ANSWER_AUTHENTICATED);
+ r = dns_answer_add(*answer, rr, dns_synthesize_ifindex(ifindex), DNS_ANSWER_AUTHENTICATED, NULL);
if (r < 0)
return r;
}
@@ -90,7 +90,7 @@ static int synthesize_localhost_rr(Manager *m, const DnsResourceKey *key, int if
rr->aaaa.in6_addr = in6addr_loopback;
- r = dns_answer_add(*answer, rr, dns_synthesize_ifindex(ifindex), DNS_ANSWER_AUTHENTICATED);
+ r = dns_answer_add(*answer, rr, dns_synthesize_ifindex(ifindex), DNS_ANSWER_AUTHENTICATED, NULL);
if (r < 0)
return r;
}
@@ -109,7 +109,7 @@ static int answer_add_ptr(DnsAnswer **answer, const char *from, const char *to,
if (!rr->ptr.name)
return -ENOMEM;
- return dns_answer_add(*answer, rr, ifindex, flags);
+ return dns_answer_add(*answer, rr, ifindex, flags, NULL);
}
static int synthesize_localhost_ptr(Manager *m, const DnsResourceKey *key, int ifindex, DnsAnswer **answer) {
@@ -155,7 +155,7 @@ static int answer_add_addresses_rr(
if (r < 0)
return r;
- r = dns_answer_add(*answer, rr, addresses[j].ifindex, DNS_ANSWER_AUTHENTICATED);
+ r = dns_answer_add(*answer, rr, addresses[j].ifindex, DNS_ANSWER_AUTHENTICATED, NULL);
if (r < 0)
return r;
}
@@ -197,7 +197,7 @@ static int answer_add_addresses_ptr(
if (r < 0)
return r;
- r = dns_answer_add(*answer, rr, addresses[j].ifindex, DNS_ANSWER_AUTHENTICATED);
+ r = dns_answer_add(*answer, rr, addresses[j].ifindex, DNS_ANSWER_AUTHENTICATED, NULL);
if (r < 0)
return r;
diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
index e032ea963f..8776edb57c 100644
--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
@@ -2313,8 +2313,8 @@ void dns_transaction_notify(DnsTransaction *t, DnsTransaction *source) {
}
static int dns_transaction_validate_dnskey_by_ds(DnsTransaction *t) {
- DnsResourceRecord *rr;
- int ifindex, r;
+ DnsAnswerItem *item;
+ int r;
assert(t);
@@ -2322,16 +2322,16 @@ static int dns_transaction_validate_dnskey_by_ds(DnsTransaction *t) {
* RRs from the list of validated keys to the list of
* validated keys. */
- DNS_ANSWER_FOREACH_IFINDEX(rr, ifindex, t->answer) {
+ DNS_ANSWER_FOREACH_ITEM(item, t->answer) {
- r = dnssec_verify_dnskey_by_ds_search(rr, t->validated_keys);
+ r = dnssec_verify_dnskey_by_ds_search(item->rr, t->validated_keys);
if (r < 0)
return r;
if (r == 0)
continue;
/* If so, the DNSKEY is validated too. */
- r = dns_answer_add_extend(&t->validated_keys, rr, ifindex, DNS_ANSWER_AUTHENTICATED);
+ r = dns_answer_add_extend(&t->validated_keys, item->rr, item->ifindex, item->flags|DNS_ANSWER_AUTHENTICATED, item->rrsig);
if (r < 0)
return r;
}
@@ -2822,19 +2822,26 @@ static int dnssec_validate_records(
continue;
}
- r = dnssec_verify_rrset_search(t->answer, rr->key, t->validated_keys, USEC_INFINITY, &result, &rrsig);
+ r = dnssec_verify_rrset_search(
+ t->answer,
+ rr->key,
+ t->validated_keys,
+ USEC_INFINITY,
+ &result,
+ &rrsig);
if (r < 0)
return r;
log_debug("Looking at %s: %s", strna(dns_resource_record_to_string(rr)), dnssec_result_to_string(result));
if (result == DNSSEC_VALIDATED) {
+ assert(rrsig);
if (rr->key->type == DNS_TYPE_DNSKEY) {
/* If we just validated a DNSKEY RRset, then let's add these keys to
* the set of validated keys for this transaction. */
- r = dns_answer_copy_by_key(&t->validated_keys, t->answer, rr->key, DNS_ANSWER_AUTHENTICATED);
+ r = dns_answer_copy_by_key(&t->validated_keys, t->answer, rr->key, DNS_ANSWER_AUTHENTICATED, rrsig);
if (r < 0)
return r;
@@ -2845,10 +2852,9 @@ static int dnssec_validate_records(
return r;
}
- /* Add the validated RRset to the new list of validated
- * RRsets, and remove it from the unvalidated RRsets.
- * We mark the RRset as authenticated and cacheable. */
- r = dns_answer_move_by_key(validated, &t->answer, rr->key, DNS_ANSWER_AUTHENTICATED|DNS_ANSWER_CACHEABLE);
+ /* Add the validated RRset to the new list of validated RRsets, and remove it from
+ * the unvalidated RRsets. We mark the RRset as authenticated and cacheable. */
+ r = dns_answer_move_by_key(validated, &t->answer, rr->key, DNS_ANSWER_AUTHENTICATED|DNS_ANSWER_CACHEABLE, rrsig);
if (r < 0)
return r;
@@ -2868,6 +2874,8 @@ static int dnssec_validate_records(
bool authenticated = false;
const char *source;
+ assert(rrsig);
+
/* This RRset validated, but as a wildcard. This means we need
* to prove via NSEC/NSEC3 that no matching non-wildcard RR exists. */
@@ -2886,8 +2894,12 @@ static int dnssec_validate_records(
if (r == 0)
result = DNSSEC_INVALID;
else {
- r = dns_answer_move_by_key(validated, &t->answer, rr->key,
- authenticated ? (DNS_ANSWER_AUTHENTICATED|DNS_ANSWER_CACHEABLE) : 0);
+ r = dns_answer_move_by_key(
+ validated,
+ &t->answer,
+ rr->key,
+ authenticated ? (DNS_ANSWER_AUTHENTICATED|DNS_ANSWER_CACHEABLE) : 0,
+ rrsig);
if (r < 0)
return r;
@@ -2905,7 +2917,12 @@ static int dnssec_validate_records(
if (r == 0) {
/* Data does not require signing. In that case, just copy it over,
* but remember that this is by no means authenticated. */
- r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0);
+ r = dns_answer_move_by_key(
+ validated,
+ &t->answer,
+ rr->key,
+ 0,
+ NULL);
if (r < 0)
return r;
@@ -2926,7 +2943,7 @@ static int dnssec_validate_records(
/* Downgrading is OK? If so, just consider the information unsigned */
- r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0);
+ r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0, NULL);
if (r < 0)
return r;
@@ -2951,7 +2968,7 @@ static int dnssec_validate_records(
log_info("Detected RRset %s is in a private DNS zone, permitting unsigned RRs.",
dns_resource_key_to_string(rr->key, s, sizeof s));
- r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0);
+ r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0, NULL);
if (r < 0)
return r;
@@ -2972,7 +2989,7 @@ static int dnssec_validate_records(
/* The DNSKEY transaction was not authenticated, this means there's
* no DS for this, which means it's OK if no keys are found for this signature. */
- r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0);
+ r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0, NULL);
if (r < 0)
return r;
diff --git a/src/resolve/resolved-dns-trust-anchor.c b/src/resolve/resolved-dns-trust-anchor.c
index 3e5d25586c..8ba459b3e5 100644
--- a/src/resolve/resolved-dns-trust-anchor.c
+++ b/src/resolve/resolved-dns-trust-anchor.c
@@ -60,7 +60,7 @@ static int add_root_ksk(
if (!rr->ds.digest)
return -ENOMEM;
- r = dns_answer_add(answer, rr, 0, DNS_ANSWER_AUTHENTICATED);
+ r = dns_answer_add(answer, rr, 0, DNS_ANSWER_AUTHENTICATED, NULL);
if (r < 0)
return r;
@@ -354,7 +354,7 @@ static int dns_trust_anchor_load_positive(DnsTrustAnchor *d, const char *path, u
old_answer = hashmap_get(d->positive_by_key, rr->key);
answer = dns_answer_ref(old_answer);
- r = dns_answer_add_extend(&answer, rr, 0, DNS_ANSWER_AUTHENTICATED);
+ r = dns_answer_add_extend(&answer, rr, 0, DNS_ANSWER_AUTHENTICATED, NULL);
if (r < 0)
return log_error_errno(r, "Failed to add trust anchor RR: %m");
diff --git a/src/resolve/resolved-dns-zone.c b/src/resolve/resolved-dns-zone.c
index 00eb6725f9..b8d3ee3941 100644
--- a/src/resolve/resolved-dns-zone.c
+++ b/src/resolve/resolved-dns-zone.c
@@ -296,7 +296,7 @@ static int dns_zone_add_authenticated_answer(DnsAnswer *a, DnsZoneItem *i, int i
else
flags = DNS_ANSWER_AUTHENTICATED;
- return dns_answer_add(a, i->rr, ifindex, flags);
+ return dns_answer_add(a, i->rr, ifindex, flags, NULL);
}
int dns_zone_lookup(DnsZone *z, DnsResourceKey *key, int ifindex, DnsAnswer **ret_answer, DnsAnswer **ret_soa, bool *ret_tentative) {
diff --git a/src/resolve/resolved-etc-hosts.c b/src/resolve/resolved-etc-hosts.c
index 2cb90d201a..0c35d91a83 100644
--- a/src/resolve/resolved-etc-hosts.c
+++ b/src/resolve/resolved-etc-hosts.c
@@ -406,7 +406,7 @@ int manager_etc_hosts_lookup(Manager *m, DnsQuestion* q, DnsAnswer **answer) {
if (!rr->ptr.name)
return -ENOMEM;
- r = dns_answer_add(*answer, rr, 0, DNS_ANSWER_AUTHENTICATED);
+ r = dns_answer_add(*answer, rr, 0, DNS_ANSWER_AUTHENTICATED, NULL);
if (r < 0)
return r;
}
@@ -458,7 +458,7 @@ int manager_etc_hosts_lookup(Manager *m, DnsQuestion* q, DnsAnswer **answer) {
if (r < 0)
return r;
- r = dns_answer_add(*answer, rr, 0, DNS_ANSWER_AUTHENTICATED);
+ r = dns_answer_add(*answer, rr, 0, DNS_ANSWER_AUTHENTICATED, NULL);
if (r < 0)
return r;
}
diff --git a/src/resolve/test-dnssec.c b/src/resolve/test-dnssec.c
index 0275d0eb94..b0763694dc 100644
--- a/src/resolve/test-dnssec.c
+++ b/src/resolve/test-dnssec.c
@@ -170,7 +170,7 @@ static void test_dnssec_verify_rfc8080_ed25519_example1(void) {
answer = dns_answer_new(1);
assert_se(answer);
- assert_se(dns_answer_add(answer, mx, 0, DNS_ANSWER_AUTHENTICATED) >= 0);
+ assert_se(dns_answer_add(answer, mx, 0, DNS_ANSWER_AUTHENTICATED, NULL) >= 0);
assert_se(dnssec_verify_rrset(answer, mx->key, rrsig, dnskey,
rrsig->rrsig.inception * USEC_PER_SEC, &result) >= 0);
@@ -262,7 +262,7 @@ static void test_dnssec_verify_rfc8080_ed25519_example2(void) {
answer = dns_answer_new(1);
assert_se(answer);
- assert_se(dns_answer_add(answer, mx, 0, DNS_ANSWER_AUTHENTICATED) >= 0);
+ assert_se(dns_answer_add(answer, mx, 0, DNS_ANSWER_AUTHENTICATED, NULL) >= 0);
assert_se(dnssec_verify_rrset(answer, mx->key, rrsig, dnskey,
rrsig->rrsig.inception * USEC_PER_SEC, &result) >= 0);
@@ -344,7 +344,7 @@ static void test_dnssec_verify_rrset(void) {
answer = dns_answer_new(1);
assert_se(answer);
- assert_se(dns_answer_add(answer, a, 0, DNS_ANSWER_AUTHENTICATED) >= 0);
+ assert_se(dns_answer_add(answer, a, 0, DNS_ANSWER_AUTHENTICATED, NULL) >= 0);
/* Validate the RR as it if was 2015-12-2 today */
assert_se(dnssec_verify_rrset(answer, a->key, rrsig, dnskey, 1449092754*USEC_PER_SEC, &result) >= 0);
@@ -436,7 +436,7 @@ static void test_dnssec_verify_rrset2(void) {
answer = dns_answer_new(1);
assert_se(answer);
- assert_se(dns_answer_add(answer, nsec, 0, DNS_ANSWER_AUTHENTICATED) >= 0);
+ assert_se(dns_answer_add(answer, nsec, 0, DNS_ANSWER_AUTHENTICATED, NULL) >= 0);
/* Validate the RR as it if was 2015-12-11 today */
assert_se(dnssec_verify_rrset(answer, nsec->key, rrsig, dnskey, 1449849318*USEC_PER_SEC, &result) >= 0);
@@ -563,10 +563,10 @@ static void test_dnssec_verify_rrset3(void) {
answer = dns_answer_new(4);
assert_se(answer);
- assert_se(dns_answer_add(answer, mx1, 0, DNS_ANSWER_AUTHENTICATED) >= 0);
- assert_se(dns_answer_add(answer, mx2, 0, DNS_ANSWER_AUTHENTICATED) >= 0);
- assert_se(dns_answer_add(answer, mx3, 0, DNS_ANSWER_AUTHENTICATED) >= 0);
- assert_se(dns_answer_add(answer, mx4, 0, DNS_ANSWER_AUTHENTICATED) >= 0);
+ assert_se(dns_answer_add(answer, mx1, 0, DNS_ANSWER_AUTHENTICATED, NULL) >= 0);
+ assert_se(dns_answer_add(answer, mx2, 0, DNS_ANSWER_AUTHENTICATED, NULL) >= 0);
+ assert_se(dns_answer_add(answer, mx3, 0, DNS_ANSWER_AUTHENTICATED, NULL) >= 0);
+ assert_se(dns_answer_add(answer, mx4, 0, DNS_ANSWER_AUTHENTICATED, NULL) >= 0);
/* Validate the RR as it if was 2020-02-24 today */
assert_se(dnssec_verify_rrset(answer, mx1->key, rrsig, dnskey, 1582534685*USEC_PER_SEC, &result) >= 0);
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-03 09:30:05 +0100