From 04617bf83f12c9dd0b6b454455d3576f2ce293a2 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 4 Nov 2020 22:59:44 +0100 Subject: resolved: add RRSIG field to DnsAnswerItem --- src/resolve/resolved-dns-answer.c | 77 ++++++++++++++++++++++++++------- src/resolve/resolved-dns-answer.h | 9 ++-- src/resolve/resolved-dns-cache.c | 2 +- src/resolve/resolved-dns-packet.c | 2 +- src/resolve/resolved-dns-scope.c | 4 +- src/resolve/resolved-dns-synthesize.c | 10 ++--- src/resolve/resolved-dns-transaction.c | 51 ++++++++++++++-------- src/resolve/resolved-dns-trust-anchor.c | 4 +- src/resolve/resolved-dns-zone.c | 2 +- src/resolve/resolved-etc-hosts.c | 4 +- src/resolve/test-dnssec.c | 16 +++---- 11 files changed, 122 insertions(+), 59 deletions(-) (limited to 'src/resolve') diff --git a/src/resolve/resolved-dns-answer.c b/src/resolve/resolved-dns-answer.c index 8138fe595b..051a2a0f25 100644 --- a/src/resolve/resolved-dns-answer.c +++ b/src/resolve/resolved-dns-answer.c @@ -66,8 +66,10 @@ static void dns_answer_flush(DnsAnswer *a) { a->set_items = set_free(a->set_items); - DNS_ANSWER_FOREACH_ITEM(item, a) + DNS_ANSWER_FOREACH_ITEM(item, a) { dns_resource_record_unref(item->rr); + dns_resource_record_unref(item->rrsig); + } a->n_rrs = 0; } @@ -81,7 +83,13 @@ static DnsAnswer *dns_answer_free(DnsAnswer *a) { DEFINE_TRIVIAL_REF_UNREF_FUNC(DnsAnswer, dns_answer, dns_answer_free); -static int dns_answer_add_raw(DnsAnswer *a, DnsResourceRecord *rr, int ifindex, DnsAnswerFlags flags) { +static int dns_answer_add_raw( + DnsAnswer *a, + DnsResourceRecord *rr, + int ifindex, + DnsAnswerFlags flags, + DnsResourceRecord *rrsig) { + int r; assert(rr); @@ -96,6 +104,7 @@ static int dns_answer_add_raw(DnsAnswer *a, DnsResourceRecord *rr, int ifindex, .rr = rr, .ifindex = ifindex, .flags = flags, + .rrsig = dns_resource_record_ref(rrsig), }; r = set_put(a->set_items, &a->items[a->n_rrs]); @@ -119,7 +128,8 @@ static int dns_answer_add_raw_all(DnsAnswer *a, DnsAnswer *source) { a, item->rr, item->ifindex, - item->flags); + item->flags, + item->rrsig); if (r < 0) return r; } @@ -127,7 +137,13 @@ static int dns_answer_add_raw_all(DnsAnswer *a, DnsAnswer *source) { return 0; } -int dns_answer_add(DnsAnswer *a, DnsResourceRecord *rr, int ifindex, DnsAnswerFlags flags) { +int dns_answer_add( + DnsAnswer *a, + DnsResourceRecord *rr, + int ifindex, + DnsAnswerFlags flags, + DnsResourceRecord *rrsig) { + DnsAnswerItem tmp, *exist; assert(rr); @@ -154,13 +170,20 @@ int dns_answer_add(DnsAnswer *a, DnsResourceRecord *rr, int ifindex, DnsAnswerFl if (rr->ttl > exist->rr->ttl) { dns_resource_record_unref(exist->rr); exist->rr = dns_resource_record_ref(rr); + + /* Update RRSIG and RR at the same time */ + if (rrsig) { + dns_resource_record_ref(rrsig); + dns_resource_record_unref(exist->rrsig); + exist->rrsig = rrsig; + } } exist->flags |= flags; return 0; } - return dns_answer_add_raw(a, rr, ifindex, flags); + return dns_answer_add_raw(a, rr, ifindex, flags, rrsig); } static int dns_answer_add_all(DnsAnswer *a, DnsAnswer *b) { @@ -168,7 +191,7 @@ static int dns_answer_add_all(DnsAnswer *a, DnsAnswer *b) { int r; DNS_ANSWER_FOREACH_ITEM(item, b) { - r = dns_answer_add(a, item->rr, item->ifindex, item->flags); + r = dns_answer_add(a, item->rr, item->ifindex, item->flags, item->rrsig); if (r < 0) return r; } @@ -176,7 +199,13 @@ static int dns_answer_add_all(DnsAnswer *a, DnsAnswer *b) { return 0; } -int dns_answer_add_extend(DnsAnswer **a, DnsResourceRecord *rr, int ifindex, DnsAnswerFlags flags) { +int dns_answer_add_extend( + DnsAnswer **a, + DnsResourceRecord *rr, + int ifindex, + DnsAnswerFlags flags, + DnsResourceRecord *rrsig) { + int r; assert(a); @@ -186,7 +215,7 @@ int dns_answer_add_extend(DnsAnswer **a, DnsResourceRecord *rr, int ifindex, Dns if (r < 0) return r; - return dns_answer_add(*a, rr, ifindex, flags); + return dns_answer_add(*a, rr, ifindex, flags, rrsig); } int dns_answer_add_soa(DnsAnswer *a, const char *name, uint32_t ttl, int ifindex) { @@ -212,7 +241,7 @@ int dns_answer_add_soa(DnsAnswer *a, const char *name, uint32_t ttl, int ifindex soa->soa.expire = 1; soa->soa.minimum = ttl; - return dns_answer_add(a, soa, ifindex, DNS_ANSWER_AUTHENTICATED); + return dns_answer_add(a, soa, ifindex, DNS_ANSWER_AUTHENTICATED, NULL); } int dns_answer_match_key(DnsAnswer *a, const DnsResourceKey *key, DnsAnswerFlags *ret_flags) { @@ -486,7 +515,7 @@ int dns_answer_remove_by_key(DnsAnswer **a, const DnsResourceKey *key) { if (r > 0) continue; - r = dns_answer_add_raw(copy, item->rr, item->ifindex, item->flags); + r = dns_answer_add_raw(copy, item->rr, item->ifindex, item->flags, item->rrsig); if (r < 0) return r; } @@ -511,6 +540,8 @@ int dns_answer_remove_by_key(DnsAnswer **a, const DnsResourceKey *key) { /* Kill this entry */ dns_resource_record_unref((*a)->items[i].rr); + dns_resource_record_unref((*a)->items[i].rrsig); + memmove((*a)->items + i, (*a)->items + i + 1, sizeof(DnsAnswerItem) * ((*a)->n_rrs - i - 1)); (*a)->n_rrs--; continue; @@ -570,7 +601,7 @@ int dns_answer_remove_by_rr(DnsAnswer **a, DnsResourceRecord *rm) { if (r > 0) continue; - r = dns_answer_add_raw(copy, item->rr, item->ifindex, item->flags); + r = dns_answer_add_raw(copy, item->rr, item->ifindex, item->flags, item->rrsig); if (r < 0) return r; } @@ -595,6 +626,7 @@ int dns_answer_remove_by_rr(DnsAnswer **a, DnsResourceRecord *rm) { /* Kill this entry */ dns_resource_record_unref((*a)->items[i].rr); + dns_resource_record_unref((*a)->items[i].rrsig); memmove((*a)->items + i, (*a)->items + i + 1, sizeof(DnsAnswerItem) * ((*a)->n_rrs - i - 1)); (*a)->n_rrs--; continue; @@ -607,7 +639,13 @@ int dns_answer_remove_by_rr(DnsAnswer **a, DnsResourceRecord *rm) { return 1; } -int dns_answer_copy_by_key(DnsAnswer **a, DnsAnswer *source, const DnsResourceKey *key, DnsAnswerFlags or_flags) { +int dns_answer_copy_by_key( + DnsAnswer **a, + DnsAnswer *source, + const DnsResourceKey *key, + DnsAnswerFlags or_flags, + DnsResourceRecord *rrsig) { + DnsAnswerItem *item; int r; @@ -629,7 +667,7 @@ int dns_answer_copy_by_key(DnsAnswer **a, DnsAnswer *source, const DnsResourceKe if (r < 0) return r; - r = dns_answer_add(*a, item->rr, item->ifindex, item->flags|or_flags); + r = dns_answer_add(*a, item->rr, item->ifindex, item->flags|or_flags, item->rrsig); if (r < 0) return r; } @@ -637,14 +675,19 @@ int dns_answer_copy_by_key(DnsAnswer **a, DnsAnswer *source, const DnsResourceKe return 0; } -int dns_answer_move_by_key(DnsAnswer **to, DnsAnswer **from, const DnsResourceKey *key, DnsAnswerFlags or_flags) { +int dns_answer_move_by_key( + DnsAnswer **to, + DnsAnswer **from, + const DnsResourceKey *key, + DnsAnswerFlags or_flags, + DnsResourceRecord *rrsig) { int r; assert(to); assert(from); assert(key); - r = dns_answer_copy_by_key(to, *from, key, or_flags); + r = dns_answer_copy_by_key(to, *from, key, or_flags, rrsig); if (r < 0) return r; @@ -792,11 +835,13 @@ void dns_answer_dump(DnsAnswer *answer, FILE *f) { fputs(t, f); - if (item->ifindex != 0 || item->flags != 0) + if (item->ifindex != 0 || item->rrsig || item->flags != 0) fputs("\t;", f); if (item->ifindex != 0) fprintf(f, " ifindex=%i", item->ifindex); + if (item->rrsig) + fputs(" rrsig", f); if (item->flags & DNS_ANSWER_AUTHENTICATED) fputs(" authenticated", f); if (item->flags & DNS_ANSWER_CACHEABLE) diff --git a/src/resolve/resolved-dns-answer.h b/src/resolve/resolved-dns-answer.h index 924fe4504a..cc2cd93a33 100644 --- a/src/resolve/resolved-dns-answer.h +++ b/src/resolve/resolved-dns-answer.h @@ -26,6 +26,7 @@ typedef enum DnsAnswerFlags { struct DnsAnswerItem { DnsResourceRecord *rr; + DnsResourceRecord *rrsig; /* Optionally, also store RRSIG RR that successfully validates this item */ int ifindex; DnsAnswerFlags flags; }; @@ -41,8 +42,8 @@ DnsAnswer *dns_answer_new(size_t n); DnsAnswer *dns_answer_ref(DnsAnswer *a); DnsAnswer *dns_answer_unref(DnsAnswer *a); -int dns_answer_add(DnsAnswer *a, DnsResourceRecord *rr, int ifindex, DnsAnswerFlags flags); -int dns_answer_add_extend(DnsAnswer **a, DnsResourceRecord *rr, int ifindex, DnsAnswerFlags flags); +int dns_answer_add(DnsAnswer *a, DnsResourceRecord *rr, int ifindex, DnsAnswerFlags flags, DnsResourceRecord *rrsig); +int dns_answer_add_extend(DnsAnswer **a, DnsResourceRecord *rr, int ifindex, DnsAnswerFlags flags, DnsResourceRecord *rrsig); int dns_answer_add_soa(DnsAnswer *a, const char *name, uint32_t ttl, int ifindex); int dns_answer_match_key(DnsAnswer *a, const DnsResourceKey *key, DnsAnswerFlags *combined_flags); @@ -64,8 +65,8 @@ int dns_answer_reserve_or_clone(DnsAnswer **a, size_t n_free); int dns_answer_remove_by_key(DnsAnswer **a, const DnsResourceKey *key); int dns_answer_remove_by_rr(DnsAnswer **a, DnsResourceRecord *rr); -int dns_answer_copy_by_key(DnsAnswer **a, DnsAnswer *source, const DnsResourceKey *key, DnsAnswerFlags or_flags); -int dns_answer_move_by_key(DnsAnswer **to, DnsAnswer **from, const DnsResourceKey *key, DnsAnswerFlags or_flags); +int dns_answer_copy_by_key(DnsAnswer **a, DnsAnswer *source, const DnsResourceKey *key, DnsAnswerFlags or_flags, DnsResourceRecord *rrsig); +int dns_answer_move_by_key(DnsAnswer **to, DnsAnswer **from, const DnsResourceKey *key, DnsAnswerFlags or_flags, DnsResourceRecord *rrsig); int dns_answer_has_dname_for_cname(DnsAnswer *a, DnsResourceRecord *cname); diff --git a/src/resolve/resolved-dns-cache.c b/src/resolve/resolved-dns-cache.c index 6cdf010309..925d5a3af2 100644 --- a/src/resolve/resolved-dns-cache.c +++ b/src/resolve/resolved-dns-cache.c @@ -968,7 +968,7 @@ int dns_cache_lookup(DnsCache *c, DnsResourceKey *key, bool clamp_ttl, int *rcod return r; } - r = dns_answer_add(answer, rr ?: j->rr, j->ifindex, j->authenticated ? DNS_ANSWER_AUTHENTICATED : 0); + r = dns_answer_add(answer, rr ?: j->rr, j->ifindex, j->authenticated ? DNS_ANSWER_AUTHENTICATED : 0, NULL); if (r < 0) return r; } diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c index 3be96e8494..b75b77760a 100644 --- a/src/resolve/resolved-dns-packet.c +++ b/src/resolve/resolved-dns-packet.c @@ -2337,7 +2337,7 @@ static int dns_packet_extract_answer(DnsPacket *p, DnsAnswer **ret_answer) { else flags |= DNS_ANSWER_SECTION_ADDITIONAL; - r = dns_answer_add(answer, rr, p->ifindex, flags); + r = dns_answer_add(answer, rr, p->ifindex, flags, NULL); if (r < 0) return r; } diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c index d77e81ae39..7db906b0ad 100644 --- a/src/resolve/resolved-dns-scope.c +++ b/src/resolve/resolved-dns-scope.c @@ -1289,7 +1289,7 @@ int dns_scope_announce(DnsScope *scope, bool goodbye) { else flags = goodbye ? (DNS_ANSWER_GOODBYE|DNS_ANSWER_CACHE_FLUSH) : DNS_ANSWER_CACHE_FLUSH; - r = dns_answer_add(answer, i->rr, 0 , flags); + r = dns_answer_add(answer, i->rr, 0, flags, NULL); if (r < 0) return log_debug_errno(r, "Failed to add RR to announce: %m"); } @@ -1307,7 +1307,7 @@ int dns_scope_announce(DnsScope *scope, bool goodbye) { if (r < 0) log_warning_errno(r, "Failed to add DNS-SD PTR record to MDNS zone: %m"); - r = dns_answer_add(answer, rr, 0 , 0); + r = dns_answer_add(answer, rr, 0, 0, NULL); if (r < 0) return log_debug_errno(r, "Failed to add RR to announce: %m"); } diff --git a/src/resolve/resolved-dns-synthesize.c b/src/resolve/resolved-dns-synthesize.c index f08d62116a..23c9ba14a9 100644 --- a/src/resolve/resolved-dns-synthesize.c +++ b/src/resolve/resolved-dns-synthesize.c @@ -76,7 +76,7 @@ static int synthesize_localhost_rr(Manager *m, const DnsResourceKey *key, int if rr->a.in_addr.s_addr = htobe32(INADDR_LOOPBACK); - r = dns_answer_add(*answer, rr, dns_synthesize_ifindex(ifindex), DNS_ANSWER_AUTHENTICATED); + r = dns_answer_add(*answer, rr, dns_synthesize_ifindex(ifindex), DNS_ANSWER_AUTHENTICATED, NULL); if (r < 0) return r; } @@ -90,7 +90,7 @@ static int synthesize_localhost_rr(Manager *m, const DnsResourceKey *key, int if rr->aaaa.in6_addr = in6addr_loopback; - r = dns_answer_add(*answer, rr, dns_synthesize_ifindex(ifindex), DNS_ANSWER_AUTHENTICATED); + r = dns_answer_add(*answer, rr, dns_synthesize_ifindex(ifindex), DNS_ANSWER_AUTHENTICATED, NULL); if (r < 0) return r; } @@ -109,7 +109,7 @@ static int answer_add_ptr(DnsAnswer **answer, const char *from, const char *to, if (!rr->ptr.name) return -ENOMEM; - return dns_answer_add(*answer, rr, ifindex, flags); + return dns_answer_add(*answer, rr, ifindex, flags, NULL); } static int synthesize_localhost_ptr(Manager *m, const DnsResourceKey *key, int ifindex, DnsAnswer **answer) { @@ -155,7 +155,7 @@ static int answer_add_addresses_rr( if (r < 0) return r; - r = dns_answer_add(*answer, rr, addresses[j].ifindex, DNS_ANSWER_AUTHENTICATED); + r = dns_answer_add(*answer, rr, addresses[j].ifindex, DNS_ANSWER_AUTHENTICATED, NULL); if (r < 0) return r; } @@ -197,7 +197,7 @@ static int answer_add_addresses_ptr( if (r < 0) return r; - r = dns_answer_add(*answer, rr, addresses[j].ifindex, DNS_ANSWER_AUTHENTICATED); + r = dns_answer_add(*answer, rr, addresses[j].ifindex, DNS_ANSWER_AUTHENTICATED, NULL); if (r < 0) return r; diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c index e032ea963f..8776edb57c 100644 --- a/src/resolve/resolved-dns-transaction.c +++ b/src/resolve/resolved-dns-transaction.c @@ -2313,8 +2313,8 @@ void dns_transaction_notify(DnsTransaction *t, DnsTransaction *source) { } static int dns_transaction_validate_dnskey_by_ds(DnsTransaction *t) { - DnsResourceRecord *rr; - int ifindex, r; + DnsAnswerItem *item; + int r; assert(t); @@ -2322,16 +2322,16 @@ static int dns_transaction_validate_dnskey_by_ds(DnsTransaction *t) { * RRs from the list of validated keys to the list of * validated keys. */ - DNS_ANSWER_FOREACH_IFINDEX(rr, ifindex, t->answer) { + DNS_ANSWER_FOREACH_ITEM(item, t->answer) { - r = dnssec_verify_dnskey_by_ds_search(rr, t->validated_keys); + r = dnssec_verify_dnskey_by_ds_search(item->rr, t->validated_keys); if (r < 0) return r; if (r == 0) continue; /* If so, the DNSKEY is validated too. */ - r = dns_answer_add_extend(&t->validated_keys, rr, ifindex, DNS_ANSWER_AUTHENTICATED); + r = dns_answer_add_extend(&t->validated_keys, item->rr, item->ifindex, item->flags|DNS_ANSWER_AUTHENTICATED, item->rrsig); if (r < 0) return r; } @@ -2822,19 +2822,26 @@ static int dnssec_validate_records( continue; } - r = dnssec_verify_rrset_search(t->answer, rr->key, t->validated_keys, USEC_INFINITY, &result, &rrsig); + r = dnssec_verify_rrset_search( + t->answer, + rr->key, + t->validated_keys, + USEC_INFINITY, + &result, + &rrsig); if (r < 0) return r; log_debug("Looking at %s: %s", strna(dns_resource_record_to_string(rr)), dnssec_result_to_string(result)); if (result == DNSSEC_VALIDATED) { + assert(rrsig); if (rr->key->type == DNS_TYPE_DNSKEY) { /* If we just validated a DNSKEY RRset, then let's add these keys to * the set of validated keys for this transaction. */ - r = dns_answer_copy_by_key(&t->validated_keys, t->answer, rr->key, DNS_ANSWER_AUTHENTICATED); + r = dns_answer_copy_by_key(&t->validated_keys, t->answer, rr->key, DNS_ANSWER_AUTHENTICATED, rrsig); if (r < 0) return r; @@ -2845,10 +2852,9 @@ static int dnssec_validate_records( return r; } - /* Add the validated RRset to the new list of validated - * RRsets, and remove it from the unvalidated RRsets. - * We mark the RRset as authenticated and cacheable. */ - r = dns_answer_move_by_key(validated, &t->answer, rr->key, DNS_ANSWER_AUTHENTICATED|DNS_ANSWER_CACHEABLE); + /* Add the validated RRset to the new list of validated RRsets, and remove it from + * the unvalidated RRsets. We mark the RRset as authenticated and cacheable. */ + r = dns_answer_move_by_key(validated, &t->answer, rr->key, DNS_ANSWER_AUTHENTICATED|DNS_ANSWER_CACHEABLE, rrsig); if (r < 0) return r; @@ -2868,6 +2874,8 @@ static int dnssec_validate_records( bool authenticated = false; const char *source; + assert(rrsig); + /* This RRset validated, but as a wildcard. This means we need * to prove via NSEC/NSEC3 that no matching non-wildcard RR exists. */ @@ -2886,8 +2894,12 @@ static int dnssec_validate_records( if (r == 0) result = DNSSEC_INVALID; else { - r = dns_answer_move_by_key(validated, &t->answer, rr->key, - authenticated ? (DNS_ANSWER_AUTHENTICATED|DNS_ANSWER_CACHEABLE) : 0); + r = dns_answer_move_by_key( + validated, + &t->answer, + rr->key, + authenticated ? (DNS_ANSWER_AUTHENTICATED|DNS_ANSWER_CACHEABLE) : 0, + rrsig); if (r < 0) return r; @@ -2905,7 +2917,12 @@ static int dnssec_validate_records( if (r == 0) { /* Data does not require signing. In that case, just copy it over, * but remember that this is by no means authenticated. */ - r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0); + r = dns_answer_move_by_key( + validated, + &t->answer, + rr->key, + 0, + NULL); if (r < 0) return r; @@ -2926,7 +2943,7 @@ static int dnssec_validate_records( /* Downgrading is OK? If so, just consider the information unsigned */ - r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0); + r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0, NULL); if (r < 0) return r; @@ -2951,7 +2968,7 @@ static int dnssec_validate_records( log_info("Detected RRset %s is in a private DNS zone, permitting unsigned RRs.", dns_resource_key_to_string(rr->key, s, sizeof s)); - r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0); + r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0, NULL); if (r < 0) return r; @@ -2972,7 +2989,7 @@ static int dnssec_validate_records( /* The DNSKEY transaction was not authenticated, this means there's * no DS for this, which means it's OK if no keys are found for this signature. */ - r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0); + r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0, NULL); if (r < 0) return r; diff --git a/src/resolve/resolved-dns-trust-anchor.c b/src/resolve/resolved-dns-trust-anchor.c index 3e5d25586c..8ba459b3e5 100644 --- a/src/resolve/resolved-dns-trust-anchor.c +++ b/src/resolve/resolved-dns-trust-anchor.c @@ -60,7 +60,7 @@ static int add_root_ksk( if (!rr->ds.digest) return -ENOMEM; - r = dns_answer_add(answer, rr, 0, DNS_ANSWER_AUTHENTICATED); + r = dns_answer_add(answer, rr, 0, DNS_ANSWER_AUTHENTICATED, NULL); if (r < 0) return r; @@ -354,7 +354,7 @@ static int dns_trust_anchor_load_positive(DnsTrustAnchor *d, const char *path, u old_answer = hashmap_get(d->positive_by_key, rr->key); answer = dns_answer_ref(old_answer); - r = dns_answer_add_extend(&answer, rr, 0, DNS_ANSWER_AUTHENTICATED); + r = dns_answer_add_extend(&answer, rr, 0, DNS_ANSWER_AUTHENTICATED, NULL); if (r < 0) return log_error_errno(r, "Failed to add trust anchor RR: %m"); diff --git a/src/resolve/resolved-dns-zone.c b/src/resolve/resolved-dns-zone.c index 00eb6725f9..b8d3ee3941 100644 --- a/src/resolve/resolved-dns-zone.c +++ b/src/resolve/resolved-dns-zone.c @@ -296,7 +296,7 @@ static int dns_zone_add_authenticated_answer(DnsAnswer *a, DnsZoneItem *i, int i else flags = DNS_ANSWER_AUTHENTICATED; - return dns_answer_add(a, i->rr, ifindex, flags); + return dns_answer_add(a, i->rr, ifindex, flags, NULL); } int dns_zone_lookup(DnsZone *z, DnsResourceKey *key, int ifindex, DnsAnswer **ret_answer, DnsAnswer **ret_soa, bool *ret_tentative) { diff --git a/src/resolve/resolved-etc-hosts.c b/src/resolve/resolved-etc-hosts.c index 2cb90d201a..0c35d91a83 100644 --- a/src/resolve/resolved-etc-hosts.c +++ b/src/resolve/resolved-etc-hosts.c @@ -406,7 +406,7 @@ int manager_etc_hosts_lookup(Manager *m, DnsQuestion* q, DnsAnswer **answer) { if (!rr->ptr.name) return -ENOMEM; - r = dns_answer_add(*answer, rr, 0, DNS_ANSWER_AUTHENTICATED); + r = dns_answer_add(*answer, rr, 0, DNS_ANSWER_AUTHENTICATED, NULL); if (r < 0) return r; } @@ -458,7 +458,7 @@ int manager_etc_hosts_lookup(Manager *m, DnsQuestion* q, DnsAnswer **answer) { if (r < 0) return r; - r = dns_answer_add(*answer, rr, 0, DNS_ANSWER_AUTHENTICATED); + r = dns_answer_add(*answer, rr, 0, DNS_ANSWER_AUTHENTICATED, NULL); if (r < 0) return r; } diff --git a/src/resolve/test-dnssec.c b/src/resolve/test-dnssec.c index 0275d0eb94..b0763694dc 100644 --- a/src/resolve/test-dnssec.c +++ b/src/resolve/test-dnssec.c @@ -170,7 +170,7 @@ static void test_dnssec_verify_rfc8080_ed25519_example1(void) { answer = dns_answer_new(1); assert_se(answer); - assert_se(dns_answer_add(answer, mx, 0, DNS_ANSWER_AUTHENTICATED) >= 0); + assert_se(dns_answer_add(answer, mx, 0, DNS_ANSWER_AUTHENTICATED, NULL) >= 0); assert_se(dnssec_verify_rrset(answer, mx->key, rrsig, dnskey, rrsig->rrsig.inception * USEC_PER_SEC, &result) >= 0); @@ -262,7 +262,7 @@ static void test_dnssec_verify_rfc8080_ed25519_example2(void) { answer = dns_answer_new(1); assert_se(answer); - assert_se(dns_answer_add(answer, mx, 0, DNS_ANSWER_AUTHENTICATED) >= 0); + assert_se(dns_answer_add(answer, mx, 0, DNS_ANSWER_AUTHENTICATED, NULL) >= 0); assert_se(dnssec_verify_rrset(answer, mx->key, rrsig, dnskey, rrsig->rrsig.inception * USEC_PER_SEC, &result) >= 0); @@ -344,7 +344,7 @@ static void test_dnssec_verify_rrset(void) { answer = dns_answer_new(1); assert_se(answer); - assert_se(dns_answer_add(answer, a, 0, DNS_ANSWER_AUTHENTICATED) >= 0); + assert_se(dns_answer_add(answer, a, 0, DNS_ANSWER_AUTHENTICATED, NULL) >= 0); /* Validate the RR as it if was 2015-12-2 today */ assert_se(dnssec_verify_rrset(answer, a->key, rrsig, dnskey, 1449092754*USEC_PER_SEC, &result) >= 0); @@ -436,7 +436,7 @@ static void test_dnssec_verify_rrset2(void) { answer = dns_answer_new(1); assert_se(answer); - assert_se(dns_answer_add(answer, nsec, 0, DNS_ANSWER_AUTHENTICATED) >= 0); + assert_se(dns_answer_add(answer, nsec, 0, DNS_ANSWER_AUTHENTICATED, NULL) >= 0); /* Validate the RR as it if was 2015-12-11 today */ assert_se(dnssec_verify_rrset(answer, nsec->key, rrsig, dnskey, 1449849318*USEC_PER_SEC, &result) >= 0); @@ -563,10 +563,10 @@ static void test_dnssec_verify_rrset3(void) { answer = dns_answer_new(4); assert_se(answer); - assert_se(dns_answer_add(answer, mx1, 0, DNS_ANSWER_AUTHENTICATED) >= 0); - assert_se(dns_answer_add(answer, mx2, 0, DNS_ANSWER_AUTHENTICATED) >= 0); - assert_se(dns_answer_add(answer, mx3, 0, DNS_ANSWER_AUTHENTICATED) >= 0); - assert_se(dns_answer_add(answer, mx4, 0, DNS_ANSWER_AUTHENTICATED) >= 0); + assert_se(dns_answer_add(answer, mx1, 0, DNS_ANSWER_AUTHENTICATED, NULL) >= 0); + assert_se(dns_answer_add(answer, mx2, 0, DNS_ANSWER_AUTHENTICATED, NULL) >= 0); + assert_se(dns_answer_add(answer, mx3, 0, DNS_ANSWER_AUTHENTICATED, NULL) >= 0); + assert_se(dns_answer_add(answer, mx4, 0, DNS_ANSWER_AUTHENTICATED, NULL) >= 0); /* Validate the RR as it if was 2020-02-24 today */ assert_se(dnssec_verify_rrset(answer, mx1->key, rrsig, dnskey, 1582534685*USEC_PER_SEC, &result) >= 0); -- cgit v1.2.3