diff options
| author | Ronan Pigott <ronan@rjp.ie> | 2024-03-18 21:05:07 +0100 |
|---|---|---|
| committer | Ronan Pigott <ronan@rjp.ie> | 2024-03-18 23:10:07 +0100 |
| commit | ce5b9d5b3c2466dd35691be0a662c4e3353a2bbf (patch) | |
| tree | c8f4dc05cd4b9c5cdff9db39742218b361f76a7e /src/resolve | |
| parent | resolved: don't request the SOA for every dns label (diff) | |
| download | systemd-ce5b9d5b3c2466dd35691be0a662c4e3353a2bbf.tar.xz systemd-ce5b9d5b3c2466dd35691be0a662c4e3353a2bbf.zip | |
resolved: request DS with DNSKEY
When validating, when we lookup a DNSKEY for validation we will almost
certainly need the corresponding DS to complete the chain of trust.
Let's go ahead and request it right away so that we don't have to wait
in this common case.
Diffstat (limited to 'src/resolve')
| -rw-r--r-- | src/resolve/resolved-dns-transaction.c | 24 |
1 files changed, 22 insertions, 2 deletions
diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c index c90be47dbe..9e4e90160b 100644 --- a/src/resolve/resolved-dns-transaction.c +++ b/src/resolve/resolved-dns-transaction.c @@ -2301,7 +2301,7 @@ static int dns_transaction_add_dnssec_transaction(DnsTransaction *t, DnsResource return 1; } -static int dns_transaction_request_dnssec_rr(DnsTransaction *t, DnsResourceKey *key) { +static int dns_transaction_request_dnssec_rr_full(DnsTransaction *t, DnsResourceKey *key, DnsTransaction **ret) { _cleanup_(dns_answer_unrefp) DnsAnswer *a = NULL; DnsTransaction *aux; int r; @@ -2332,11 +2332,19 @@ static int dns_transaction_request_dnssec_rr(DnsTransaction *t, DnsResourceKey * r = dns_transaction_go(aux); if (r < 0) return r; + if (ret) + *ret = aux; } return 1; } +static int dns_transaction_request_dnssec_rr(DnsTransaction *t, DnsResourceKey *key) { + assert(t); + assert(key); + return dns_transaction_request_dnssec_rr_full(t, key, NULL); +} + static int dns_transaction_negative_trust_anchor_lookup(DnsTransaction *t, const char *name) { int r; @@ -2482,6 +2490,7 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) { case DNS_TYPE_RRSIG: { /* For each RRSIG we request the matching DNSKEY */ _cleanup_(dns_resource_key_unrefp) DnsResourceKey *dnskey = NULL; + DnsTransaction *aux = NULL; /* If this RRSIG is about a DNSKEY RR and the * signer is the same as the owner, then we @@ -2518,9 +2527,20 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) { log_debug("Requesting DNSKEY to validate transaction %" PRIu16" (%s, RRSIG with key tag: %" PRIu16 ").", t->id, dns_resource_key_name(rr->key), rr->rrsig.key_tag); - r = dns_transaction_request_dnssec_rr(t, dnskey); + r = dns_transaction_request_dnssec_rr_full(t, dnskey, &aux); if (r < 0) return r; + + /* If we are requesting a DNSKEY, we can anticiapte that we will want the matching DS + * in the near future. Let's request it in advance so we don't have to wait in the + * common case. */ + if (aux) { + _cleanup_(dns_resource_key_unrefp) DnsResourceKey *ds = + dns_resource_key_new(rr->key->class, DNS_TYPE_DS, dns_resource_key_name(dnskey)); + r = dns_transaction_request_dnssec_rr(t, ds); + if (r < 0) + return r; + } break; } |