From e82b1132579e45c80b95d4bc12b8c333fa909d53 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Fri, 8 Dec 2017 20:11:36 +0100 Subject: [PATCH] resolved: try a different server if server is too dumb to do DNSSEC If we are in strict DNSSEC mode it's worthy to try a different DNS server before accepting that DNSSEC is not actually supported. Fixes: #7040 --- src/resolve/resolved-dns-transaction.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c index 0388b5e076..f4bbde0219 100644 --- a/src/resolve/resolved-dns-transaction.c +++ b/src/resolve/resolved-dns-transaction.c @@ -739,8 +739,17 @@ static void dns_transaction_process_dnssec(DnsTransaction *t) { if (t->answer_dnssec_result == DNSSEC_INCOMPATIBLE_SERVER && t->scope->dnssec_mode == DNSSEC_YES) { - /* We are not in automatic downgrade mode, and the - * server is bad, refuse operation. */ + + /* We are not in automatic downgrade mode, and the server is bad. Let's try a different server, maybe + * that works. */ + + if (t->n_picked_servers < dns_scope_get_n_dns_servers(t->scope)) { + /* We tried fewer servers on this transaction than we know, let's try another one then */ + dns_transaction_retry(t, true); + return; + } + + /* OK, let's give up, apparently all servers we tried didn't work. */ dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED); return; }