1
0
mirror of https://github.com/systemd/systemd.git synced 2024-10-30 14:55:37 +03:00

resolve: unsupported DNSSEC algorithms are considered INSECURE; not BOGUS

Resolves: #19824
This commit is contained in:
Jacek Migacz 2022-09-21 08:23:22 +02:00 committed by Luca Boccassi
parent f4e5569190
commit 1ca3600120

View File

@ -3332,10 +3332,19 @@ static int dnssec_validate_records(
}
}
/* https://datatracker.ietf.org/doc/html/rfc6840#section-5.2 */
if (result == DNSSEC_UNSUPPORTED_ALGORITHM) {
r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0, NULL);
if (r < 0)
return r;
manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
return 1;
}
if (IN_SET(result,
DNSSEC_MISSING_KEY,
DNSSEC_SIGNATURE_EXPIRED,
DNSSEC_UNSUPPORTED_ALGORITHM)) {
DNSSEC_SIGNATURE_EXPIRED)) {
r = dns_transaction_dnskey_authenticated(t, rr);
if (r < 0 && r != -ENXIO)