picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

resolved: try to authenticate SOA on negative replies 

For caching negative replies we need the SOA TTL information. Hence,
let's authenticate all auxiliary SOA RRs through DS requests on all
negative requests.
This commit is contained in:
Lennart Poettering 2017-02-15 20:05:27 +01:00
parent 74a3ed7408
commit 6993d26469
1 changed files with 12 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
src/resolve/resolved-dns-transaction.c
View File

@ -2009,8 +2009,18 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) {
r = dns_resource_key_match_rr(t->key, rr, NULL);
if (r < 0)
return r;
if (r == 0)
continue;
if (r == 0) {
/* Hmm, so this SOA RR doesn't match our original question. In this case, maybe this is
* a negative reply, and we need the a SOA RR's TTL in order to cache a negative entry?
* If so, we need to validate it, too. */
r = dns_answer_match_key(t->answer, t->key, NULL);
if (r < 0)
return r;
if (r > 0) /* positive reply, we won't need the SOA and hence don't need to validate
* it. */
continue;
}
r = dnssec_has_rrsig(t->answer, rr->key);
if (r < 0)