resolved: only attempt non-answer SOA RRs if they are parents of our query

There's no value in authenticating SOA RRs that are neither answer to our question nor parent of our question (the latter being relevant so that we have a TTL from the SOA field for negative caching of the actual query). By being to eager here, and trying to authenticate too much we run the risk of creating cyclic deps between our transactions which then causes the over-all authentication to fail. Fixes: #9771
2025-03-08 20:58:20 +03:00 · 2018-12-17 21:14:17 +01:00 · 2018-12-17 21:14:17 +01:00 · d5acaa51db
commit d5acaa51db
parent 1a126325eb
1 changed files with 8 additions and 0 deletions
--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
@ -2142,6 +2142,14 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) {
                                if (r > 0) /* positive reply, we won't need the SOA and hence don't need to validate
                                            * it. */
                                        continue;
+
+                                /* Only bother with this if the SOA/NS RR we are looking at is actually a parent of
+                                 * what we are looking for, otherwise there's no value in it for us. */
+                                r = dns_name_endswith(dns_resource_key_name(t->key), dns_resource_key_name(rr->key));
+                                if (r < 0)
+                                        return r;
+                                if (r == 0)
+                                        continue;
                        }

                        r = dnssec_has_rrsig(t->answer, rr->key);