mirror of
https://github.com/systemd/systemd.git
synced 2024-10-27 18:55:40 +03:00
resolved: validate authentic insecure delegation to CNAME
If the parent zone uses a non-opt-out method that provides authenticated
negative DS replies, we still can't expect signatures from the child
zone. sd-resolved was using the authenticated status of the DS reply to
require signatures for CNAMEs, even though it had already proved that no
signature exists.
Fixes: 47690634f1
("resolved: don't request the SOA for every dns label")
This commit is contained in:
parent
5237ffdf2b
commit
414a9b8e5e
@ -2936,7 +2936,12 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *
|
||||
if (r == 0)
|
||||
continue;
|
||||
|
||||
return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
|
||||
if (!FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
|
||||
return false;
|
||||
|
||||
/* We expect this to be signed when the DS record exists, and don't expect it to be
|
||||
* signed when the DS record is proven not to exist. */
|
||||
return dns_answer_match_key(dt->answer, dns_transaction_key(dt), NULL);
|
||||
}
|
||||
|
||||
return true;
|
||||
|
Loading…
Reference in New Issue
Block a user