mirror of
https://github.com/systemd/systemd-stable.git
synced 2024-10-27 01:55:32 +03:00
Merge pull request #11194 from poettering/resolved-soa-parent
be more conservative with set of RRs to authenticate
This commit is contained in:
commit
b99b316497
@ -2142,6 +2142,14 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) {
|
||||
if (r > 0) /* positive reply, we won't need the SOA and hence don't need to validate
|
||||
* it. */
|
||||
continue;
|
||||
|
||||
/* Only bother with this if the SOA/NS RR we are looking at is actually a parent of
|
||||
* what we are looking for, otherwise there's no value in it for us. */
|
||||
r = dns_name_endswith(dns_resource_key_name(t->key), dns_resource_key_name(rr->key));
|
||||
if (r < 0)
|
||||
return r;
|
||||
if (r == 0)
|
||||
continue;
|
||||
}
|
||||
|
||||
r = dnssec_has_rrsig(t->answer, rr->key);
|
||||
@ -2276,21 +2284,21 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) {
|
||||
r = dns_name_parent(&name);
|
||||
if (r > 0) {
|
||||
type = DNS_TYPE_SOA;
|
||||
log_debug("Requesting parent SOA to validate transaction %" PRIu16 " (%s, unsigned empty DS response).",
|
||||
t->id, dns_resource_key_name(t->key));
|
||||
log_debug("Requesting parent SOA (→ %s) to validate transaction %" PRIu16 " (%s, unsigned empty DS response).",
|
||||
name, t->id, dns_resource_key_name(t->key));
|
||||
} else
|
||||
name = NULL;
|
||||
|
||||
} else if (IN_SET(t->key->type, DNS_TYPE_SOA, DNS_TYPE_NS)) {
|
||||
|
||||
type = DNS_TYPE_DS;
|
||||
log_debug("Requesting DS to validate transaction %" PRIu16 " (%s, unsigned empty SOA/NS response).",
|
||||
t->id, dns_resource_key_name(t->key));
|
||||
log_debug("Requesting DS (→ %s) to validate transaction %" PRIu16 " (%s, unsigned empty SOA/NS response).",
|
||||
name, t->id, name);
|
||||
|
||||
} else {
|
||||
type = DNS_TYPE_SOA;
|
||||
log_debug("Requesting SOA to validate transaction %" PRIu16 " (%s, unsigned empty non-SOA/NS/DS response).",
|
||||
t->id, dns_resource_key_name(t->key));
|
||||
log_debug("Requesting SOA (→ %s) to validate transaction %" PRIu16 " (%s, unsigned empty non-SOA/NS/DS response).",
|
||||
name, t->id, name);
|
||||
}
|
||||
|
||||
if (name) {
|
||||
|
Loading…
Reference in New Issue
Block a user