summaryrefslogtreecommitdiffstats
path: root/src/resolve
diff options
context:
space:
mode:
authorZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2022-05-17 16:53:09 +0200
committerGitHub <noreply@github.com>2022-05-17 16:53:09 +0200
commit80c48dd3a23392828e66835a9efa547bf4ca79ae (patch)
tree43fc65ef2c47370e1bd2d9fba646874347456907 /src/resolve
parentAdd a "test" that prints the SBAT table (diff)
parentresolve: always request records to validate negative answer (diff)
downloadsystemd-80c48dd3a23392828e66835a9efa547bf4ca79ae.tar.xz
systemd-80c48dd3a23392828e66835a9efa547bf4ca79ae.zip
Merge pull request #23114 from yuwata/resolve-dnssec
resolve: always request additional record to verify negative answer
Diffstat (limited to 'src/resolve')
-rw-r--r--src/resolve/resolved-dns-dnssec.c5
-rw-r--r--src/resolve/resolved-dns-transaction.c28
2 files changed, 13 insertions, 20 deletions
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
index cdc89771d5..f63cd9b48c 100644
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@@ -778,8 +778,7 @@ static hash_md_t algorithm_to_implementation_id(uint8_t algorithm) {
static void dnssec_fix_rrset_ttl(
DnsResourceRecord *list[],
unsigned n,
- DnsResourceRecord *rrsig,
- usec_t realtime) {
+ DnsResourceRecord *rrsig) {
assert(list);
assert(n > 0);
@@ -1110,7 +1109,7 @@ int dnssec_verify_rrset(
/* Now, fix the ttl, expiry, and remember the synthesizing source and the signer */
if (r > 0)
- dnssec_fix_rrset_ttl(list, n, rrsig, realtime);
+ dnssec_fix_rrset_ttl(list, n, rrsig);
if (r == 0)
*result = DNSSEC_INVALID;
diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
index ab0f318c7a..158e5b44b0 100644
--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
@@ -2211,7 +2211,7 @@ static int dns_transaction_negative_trust_anchor_lookup(DnsTransaction *t, const
return link_negative_trust_anchor_lookup(t->scope->link, name);
}
-static int dns_transaction_has_unsigned_negative_answer(DnsTransaction *t) {
+static int dns_transaction_has_negative_answer(DnsTransaction *t) {
int r;
assert(t);
@@ -2230,14 +2230,7 @@ static int dns_transaction_has_unsigned_negative_answer(DnsTransaction *t) {
r = dns_transaction_negative_trust_anchor_lookup(t, dns_resource_key_name(dns_transaction_key(t)));
if (r < 0)
return r;
- if (r > 0)
- return false;
-
- /* The answer does not contain any RRs that match to the
- * question. If so, let's see if there are any NSEC/NSEC3 RRs
- * included. If not, the answer is unsigned. */
-
- return !dns_answer_contains_nsec_or_nsec3(t->answer);
+ return !r;
}
static int dns_transaction_is_primary_response(DnsTransaction *t, DnsResourceRecord *rr) {
@@ -2561,14 +2554,15 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) {
* we got. Now, let's request what we need to validate what we
* didn't get... */
- r = dns_transaction_has_unsigned_negative_answer(t);
+ r = dns_transaction_has_negative_answer(t);
if (r < 0)
return r;
if (r > 0) {
- const char *name;
+ const char *name, *signed_status;
uint16_t type = 0;
name = dns_resource_key_name(dns_transaction_key(t));
+ signed_status = dns_answer_contains_nsec_or_nsec3(t->answer) ? "signed" : "unsigned";
/* If this was a SOA or NS request, then check if there's a DS RR for the same domain. Note that this
* could also be used as indication that we are not at a zone apex, but in real world setups there are
@@ -2581,21 +2575,21 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) {
r = dns_name_parent(&name);
if (r > 0) {
type = DNS_TYPE_SOA;
- log_debug("Requesting parent SOA (→ %s) to validate transaction %" PRIu16 " (%s, unsigned empty DS response).",
- name, t->id, dns_resource_key_name(dns_transaction_key(t)));
+ log_debug("Requesting parent SOA (→ %s) to validate transaction %" PRIu16 " (%s, %s empty DS response).",
+ name, t->id, dns_resource_key_name(dns_transaction_key(t)), signed_status);
} else
name = NULL;
} else if (IN_SET(dns_transaction_key(t)->type, DNS_TYPE_SOA, DNS_TYPE_NS)) {
type = DNS_TYPE_DS;
- log_debug("Requesting DS (→ %s) to validate transaction %" PRIu16 " (%s, unsigned empty SOA/NS response).",
- name, t->id, name);
+ log_debug("Requesting DS (→ %s) to validate transaction %" PRIu16 " (%s, %s empty SOA/NS response).",
+ name, t->id, name, signed_status);
} else {
type = DNS_TYPE_SOA;
- log_debug("Requesting SOA (→ %s) to validate transaction %" PRIu16 " (%s, unsigned empty non-SOA/NS/DS response).",
- name, t->id, name);
+ log_debug("Requesting SOA (→ %s) to validate transaction %" PRIu16 " (%s, %s empty non-SOA/NS/DS response).",
+ name, t->id, name, signed_status);
}
if (name) {