mirror of
https://github.com/systemd/systemd.git
synced 2024-10-31 16:21:26 +03:00
resolved: see if it's worth retrying a lookup on "failed-auxiliary" DNSSEC error
Maybe we learnt something about the server feature set, let's hence retry. Fixes: #11102
This commit is contained in:
parent
d96275d8eb
commit
e30a62bfe6
@ -844,6 +844,7 @@ static bool dns_transaction_dnssec_is_live(DnsTransaction *t) {
|
|||||||
|
|
||||||
static int dns_transaction_dnssec_ready(DnsTransaction *t) {
|
static int dns_transaction_dnssec_ready(DnsTransaction *t) {
|
||||||
DnsTransaction *dt;
|
DnsTransaction *dt;
|
||||||
|
int r;
|
||||||
|
|
||||||
assert(t);
|
assert(t);
|
||||||
|
|
||||||
@ -877,7 +878,7 @@ static int dns_transaction_dnssec_ready(DnsTransaction *t) {
|
|||||||
|
|
||||||
case DNS_TRANSACTION_DNSSEC_FAILED:
|
case DNS_TRANSACTION_DNSSEC_FAILED:
|
||||||
/* We handle DNSSEC failures different from other errors, as we care about the DNSSEC
|
/* We handle DNSSEC failures different from other errors, as we care about the DNSSEC
|
||||||
* validationr result */
|
* validation result */
|
||||||
|
|
||||||
log_debug("Auxiliary DNSSEC RR query failed validation: %s", dnssec_result_to_string(dt->answer_dnssec_result));
|
log_debug("Auxiliary DNSSEC RR query failed validation: %s", dnssec_result_to_string(dt->answer_dnssec_result));
|
||||||
t->answer_dnssec_result = dt->answer_dnssec_result; /* Copy error code over */
|
t->answer_dnssec_result = dt->answer_dnssec_result; /* Copy error code over */
|
||||||
@ -894,6 +895,18 @@ static int dns_transaction_dnssec_ready(DnsTransaction *t) {
|
|||||||
return 1;
|
return 1;
|
||||||
|
|
||||||
fail:
|
fail:
|
||||||
|
/* Some auxiliary DNSSEC transaction failed for some reason. Maybe we learned something about the
|
||||||
|
* server due to this failure, and the feature level is now different? Let's see and restart the
|
||||||
|
* transaction if so. If not, let's propagate the auxiliary failure.
|
||||||
|
*
|
||||||
|
* This is particularly relevant if an auxiliary request figured out that DNSSEC doesn't work, and we
|
||||||
|
* are in permissive DNSSEC mode, and thus should restart things without DNSSEC magic. */
|
||||||
|
r = dns_transaction_maybe_restart(t);
|
||||||
|
if (r < 0)
|
||||||
|
return r;
|
||||||
|
if (r > 0)
|
||||||
|
return 0; /* don't validate just yet, we restarted things */
|
||||||
|
|
||||||
t->answer_dnssec_result = DNSSEC_FAILED_AUXILIARY;
|
t->answer_dnssec_result = DNSSEC_FAILED_AUXILIARY;
|
||||||
dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
|
dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
|
||||||
return 0;
|
return 0;
|
||||||
|
Loading…
Reference in New Issue
Block a user