resolved: don#t allow explicit queries for RRSIG RRs

We wouldn't know how to validate them, since they are the signatures, and hence have no signatures.
2025-03-19 22:50:17 +03:00 · 2016-01-11 20:15:28 +01:00 · 2016-01-11 20:15:28 +01:00 · 04680e36a4
commit 04680e36a4
parent d0129ddb9f
1 changed files with 7 additions and 1 deletions
--- a/src/resolve/dns-type.c
+++ b/src/resolve/dns-type.c
@ -77,7 +77,13 @@ bool dns_type_is_valid_query(uint16_t type) {
                       0,
                       DNS_TYPE_OPT,
                       DNS_TYPE_TSIG,
-                       DNS_TYPE_TKEY);
+                       DNS_TYPE_TKEY,
+
+                       /* RRSIG are technically valid as questions, but we refuse doing explicit queries for them, as
+                        * they aren't really payload, but signatures for payload, and cannot be validated on their
+                        * own. After all they are the signatures, and have no signatures of their own validating
+                        * them. */
+                       DNS_TYPE_RRSIG);
 }

 bool dns_type_is_valid_rr(uint16_t type) {