Merge pull request #3173 from poettering/dnssec-incapdns-fix
Dnssec incapdns fix
This commit is contained in:
commit
a819a985e0
2
TODO
2
TODO
|
@ -51,8 +51,6 @@ Features:
|
||||||
* journald: sigbus API via a signal-handler safe function that people may call
|
* journald: sigbus API via a signal-handler safe function that people may call
|
||||||
from the SIGBUS handler
|
from the SIGBUS handler
|
||||||
|
|
||||||
* resolved: cefmz.x.incapdns.net fails to authenticate
|
|
||||||
|
|
||||||
* when using UTF8, ellipsize with "…" rather than "...", so that we can show more contents before truncating
|
* when using UTF8, ellipsize with "…" rather than "...", so that we can show more contents before truncating
|
||||||
|
|
||||||
* move specifier expansion from service_spawn() into load-fragment.c
|
* move specifier expansion from service_spawn() into load-fragment.c
|
||||||
|
|
|
@ -1804,7 +1804,8 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) {
|
||||||
* - For unsigned SOA/NS we get the matching DS
|
* - For unsigned SOA/NS we get the matching DS
|
||||||
* - For unsigned CNAME/DNAME/DS we get the parent SOA RR
|
* - For unsigned CNAME/DNAME/DS we get the parent SOA RR
|
||||||
* - For other unsigned RRs we get the matching SOA RR
|
* - For other unsigned RRs we get the matching SOA RR
|
||||||
* - For SOA/NS/DS queries with no matching response RRs, and no NSEC/NSEC3, the parent's SOA RR
|
* - For SOA/NS queries with no matching response RR, and no NSEC/NSEC3, the DS RR
|
||||||
|
* - For DS queries with no matching response RRs, and no NSEC/NSEC3, the parent's SOA RR
|
||||||
* - For other queries with no matching response RRs, and no NSEC/NSEC3, the SOA RR
|
* - For other queries with no matching response RRs, and no NSEC/NSEC3, the SOA RR
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
@ -2038,32 +2039,42 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) {
|
||||||
return r;
|
return r;
|
||||||
if (r > 0) {
|
if (r > 0) {
|
||||||
const char *name;
|
const char *name;
|
||||||
|
uint16_t type = 0;
|
||||||
|
|
||||||
name = dns_resource_key_name(t->key);
|
name = dns_resource_key_name(t->key);
|
||||||
|
|
||||||
/* If this was a SOA or NS request, then this
|
/* If this was a SOA or NS request, then check if there's a DS RR for the same domain. Note that this
|
||||||
* indicates that we are not at a zone apex, hence ask
|
* could also be used as indication that we are not at a zone apex, but in real world setups there are
|
||||||
* the parent name instead. If this was a DS request,
|
* too many broken DNS servers (Hello, incapdns.net!) where non-terminal zones return NXDOMAIN even
|
||||||
* then it's signed when the parent zone is signed,
|
* though they have further children. If this was a DS request, then it's signed when the parent zone
|
||||||
* hence ask the parent in that case, too. */
|
* is signed, hence ask the parent SOA in that case. If this was any other RR then ask for the SOA RR,
|
||||||
|
* to see if that is signed. */
|
||||||
|
|
||||||
if (IN_SET(t->key->type, DNS_TYPE_SOA, DNS_TYPE_NS, DNS_TYPE_DS)) {
|
if (t->key->type == DNS_TYPE_DS) {
|
||||||
r = dns_name_parent(&name);
|
r = dns_name_parent(&name);
|
||||||
if (r < 0)
|
if (r > 0) {
|
||||||
return r;
|
type = DNS_TYPE_SOA;
|
||||||
if (r > 0)
|
log_debug("Requesting parent SOA to validate transaction %" PRIu16 " (%s, unsigned empty DS response).",
|
||||||
log_debug("Requesting parent SOA to validate transaction %" PRIu16 " (%s, unsigned empty SOA/NS/DS response).",
|
|
||||||
t->id, dns_resource_key_name(t->key));
|
t->id, dns_resource_key_name(t->key));
|
||||||
else
|
} else
|
||||||
name = NULL;
|
name = NULL;
|
||||||
} else
|
|
||||||
|
} else if (IN_SET(t->key->type, DNS_TYPE_SOA, DNS_TYPE_NS)) {
|
||||||
|
|
||||||
|
type = DNS_TYPE_DS;
|
||||||
|
log_debug("Requesting DS to validate transaction %" PRIu16 " (%s, unsigned empty SOA/NS response).",
|
||||||
|
t->id, dns_resource_key_name(t->key));
|
||||||
|
|
||||||
|
} else {
|
||||||
|
type = DNS_TYPE_SOA;
|
||||||
log_debug("Requesting SOA to validate transaction %" PRIu16 " (%s, unsigned empty non-SOA/NS/DS response).",
|
log_debug("Requesting SOA to validate transaction %" PRIu16 " (%s, unsigned empty non-SOA/NS/DS response).",
|
||||||
t->id, dns_resource_key_name(t->key));
|
t->id, dns_resource_key_name(t->key));
|
||||||
|
}
|
||||||
|
|
||||||
if (name) {
|
if (name) {
|
||||||
_cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL;
|
_cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL;
|
||||||
|
|
||||||
soa = dns_resource_key_new(t->key->class, DNS_TYPE_SOA, name);
|
soa = dns_resource_key_new(t->key->class, type, name);
|
||||||
if (!soa)
|
if (!soa)
|
||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
|
|
||||||
|
@ -2317,11 +2328,12 @@ static int dns_transaction_in_private_tld(DnsTransaction *t, const DnsResourceKe
|
||||||
}
|
}
|
||||||
|
|
||||||
static int dns_transaction_requires_nsec(DnsTransaction *t) {
|
static int dns_transaction_requires_nsec(DnsTransaction *t) {
|
||||||
|
char key_str[DNS_RESOURCE_KEY_STRING_MAX];
|
||||||
DnsTransaction *dt;
|
DnsTransaction *dt;
|
||||||
const char *name;
|
const char *name;
|
||||||
|
uint16_t type = 0;
|
||||||
Iterator i;
|
Iterator i;
|
||||||
int r;
|
int r;
|
||||||
char key_str[DNS_RESOURCE_KEY_STRING_MAX];
|
|
||||||
|
|
||||||
assert(t);
|
assert(t);
|
||||||
|
|
||||||
|
@ -2355,22 +2367,25 @@ static int dns_transaction_requires_nsec(DnsTransaction *t) {
|
||||||
|
|
||||||
name = dns_resource_key_name(t->key);
|
name = dns_resource_key_name(t->key);
|
||||||
|
|
||||||
if (IN_SET(t->key->type, DNS_TYPE_SOA, DNS_TYPE_NS, DNS_TYPE_DS)) {
|
if (t->key->type == DNS_TYPE_DS) {
|
||||||
|
|
||||||
/* We got a negative reply for this SOA/NS lookup? If
|
/* We got a negative reply for this DS lookup? DS RRs are signed when their parent zone is signed,
|
||||||
* so, then we are not at a zone apex, and thus should
|
* hence check the parent SOA in this case. */
|
||||||
* look at the result of the parent SOA lookup.
|
|
||||||
*
|
|
||||||
* We got a negative reply for this DS lookup? DS RRs
|
|
||||||
* are signed when their parent zone is signed, hence
|
|
||||||
* also check the parent SOA in this case. */
|
|
||||||
|
|
||||||
r = dns_name_parent(&name);
|
r = dns_name_parent(&name);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
if (r == 0)
|
if (r == 0)
|
||||||
return true;
|
return true;
|
||||||
}
|
|
||||||
|
type = DNS_TYPE_SOA;
|
||||||
|
|
||||||
|
} else if (IN_SET(t->key->type, DNS_TYPE_SOA, DNS_TYPE_NS))
|
||||||
|
/* We got a negative reply for this SOA/NS lookup? If so, check if there's a DS RR for this */
|
||||||
|
type = DNS_TYPE_DS;
|
||||||
|
else
|
||||||
|
/* For all other negative replies, check for the SOA lookup */
|
||||||
|
type = DNS_TYPE_SOA;
|
||||||
|
|
||||||
/* For all other RRs we check the SOA on the same level to see
|
/* For all other RRs we check the SOA on the same level to see
|
||||||
* if it's signed. */
|
* if it's signed. */
|
||||||
|
@ -2379,7 +2394,7 @@ static int dns_transaction_requires_nsec(DnsTransaction *t) {
|
||||||
|
|
||||||
if (dt->key->class != t->key->class)
|
if (dt->key->class != t->key->class)
|
||||||
continue;
|
continue;
|
||||||
if (dt->key->type != DNS_TYPE_SOA)
|
if (dt->key->type != type)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
r = dns_name_equal(dns_resource_key_name(dt->key), name);
|
r = dns_name_equal(dns_resource_key_name(dt->key), name);
|
||||||
|
|
Loading…
Reference in New Issue