From 2f4c2db20ae02d750a6995e0afbff7231cd3a6b7 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 3 Nov 2020 20:34:21 +0100 Subject: [PATCH] resolved: handle RRs where we don't have a signer If we encounter an RR that has no matching signature, then we don't know whether it was expanded from a wildcard or not. We need to accept that and not make the NSEC test fail, just skip over the RR. --- src/resolve/resolved-dns-dnssec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c index 5a4f5c58b6..5a01d49dee 100644 --- a/src/resolve/resolved-dns-dnssec.c +++ b/src/resolve/resolved-dns-dnssec.c @@ -1813,6 +1813,8 @@ int dnssec_nsec_test(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *r /* The following checks only make sense for NSEC RRs that are not expanded from a wildcard */ r = dns_resource_record_is_synthetic(rr); + if (r == -ENODATA) /* No signing RR known. */ + continue; if (r < 0) return r; if (r > 0)