resolved: handle RRs where we don't have a signer

If we encounter an RR that has no matching signature, then we don't know whether it was expanded from a wildcard or not. We need to accept that and not make the NSEC test fail, just skip over the RR.
2025-02-23 13:57:33 +03:00 · 2020-11-03 20:34:21 +01:00 · 2020-11-03 20:34:21 +01:00 · 2f4c2db20a
commit 2f4c2db20a
parent de4a0138e7
1 changed files with 2 additions and 0 deletions
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@ -1813,6 +1813,8 @@ int dnssec_nsec_test(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *r

                /* The following checks only make sense for NSEC RRs that are not expanded from a wildcard */
                r = dns_resource_record_is_synthetic(rr);
+                if (r == -ENODATA) /* No signing RR known. */
+                        continue;
                if (r < 0)
                        return r;
                if (r > 0)