Merge pull request #11194 from poettering/resolved-soa-parent

be more conservative with set of RRs to authenticate
2024-10-27 01:55:32 +03:00 · 2018-12-18 13:07:24 +01:00 · 2018-12-18 13:07:24 +01:00 · b99b316497
commit b99b316497
parent 1a126325eb 6d72da2f3e
1 changed files with 14 additions and 6 deletions
--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
@ -2142,6 +2142,14 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) {
                                if (r > 0) /* positive reply, we won't need the SOA and hence don't need to validate
                                            * it. */
                                        continue;
+
+                                /* Only bother with this if the SOA/NS RR we are looking at is actually a parent of
+                                 * what we are looking for, otherwise there's no value in it for us. */
+                                r = dns_name_endswith(dns_resource_key_name(t->key), dns_resource_key_name(rr->key));
+                                if (r < 0)
+                                        return r;
+                                if (r == 0)
+                                        continue;
                        }

                        r = dnssec_has_rrsig(t->answer, rr->key);
@ -2276,21 +2284,21 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) {
                        r = dns_name_parent(&name);
                        if (r > 0) {
                                type = DNS_TYPE_SOA;
-                                log_debug("Requesting parent SOA to validate transaction %" PRIu16 " (%s, unsigned empty DS response).",
-                                          t->id, dns_resource_key_name(t->key));
+                                log_debug("Requesting parent SOA (→ %s) to validate transaction %" PRIu16 " (%s, unsigned empty DS response).",
+                                          name, t->id, dns_resource_key_name(t->key));
                        } else
                                name = NULL;

                } else if (IN_SET(t->key->type, DNS_TYPE_SOA, DNS_TYPE_NS)) {

                        type = DNS_TYPE_DS;
-                        log_debug("Requesting DS to validate transaction %" PRIu16 " (%s, unsigned empty SOA/NS response).",
-                                  t->id, dns_resource_key_name(t->key));
+                        log_debug("Requesting DS (→ %s) to validate transaction %" PRIu16 " (%s, unsigned empty SOA/NS response).",
+                                  name, t->id, name);

                } else {
                        type = DNS_TYPE_SOA;
-                        log_debug("Requesting SOA to validate transaction %" PRIu16 " (%s, unsigned empty non-SOA/NS/DS response).",
-                                  t->id, dns_resource_key_name(t->key));
+                        log_debug("Requesting SOA (→ %s) to validate transaction %" PRIu16 " (%s, unsigned empty non-SOA/NS/DS response).",
+                                  name, t->id, name);
                }

                if (name) {