diff options
| author | Ronan Pigott <ronan@rjp.ie> | 2024-10-21 08:16:49 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2024-10-22 17:59:05 +0200 |
| commit | afdb38a39f49292219e6721f39dec048977eafa7 (patch) | |
| tree | 3a60986b5d16bbf8f8dcefc51a9e5b089e849203 /src/resolve | |
| parent | Merge pull request #34851 from DaanDeMeyer/medium (diff) | |
| download | systemd-afdb38a39f49292219e6721f39dec048977eafa7.tar.xz systemd-afdb38a39f49292219e6721f39dec048977eafa7.zip | |
resolved: validate noerror response for CNAMEs
CNAME doesn't exist at the zone apex. When we get an unsigned noerror
response to a direct query for a CNAME record, we don't yet know if this
name is zone apex. We already request the correct DS record in this
case, but previously skipped it at validation time, causing the answer
to appear bogus. Make sure to also consider the DS record for the query
name for negative replies.
Diffstat (limited to 'src/resolve')
| -rw-r--r-- | src/resolve/resolved-dns-transaction.c | 10 |
1 files changed, 0 insertions, 10 deletions
diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c index f78bf0702b..a162a91a03 100644 --- a/src/resolve/resolved-dns-transaction.c +++ b/src/resolve/resolved-dns-transaction.c @@ -3071,16 +3071,6 @@ static int dns_transaction_requires_nsec(DnsTransaction *t) { name = dns_resource_key_name(dns_transaction_key(t)); - if (IN_SET(dns_transaction_key(t)->type, DNS_TYPE_DS, DNS_TYPE_CNAME, DNS_TYPE_DNAME)) { - /* We got a negative reply for this DS/CNAME/DNAME lookup? Check the parent in this case to - * see if this answer should have been signed. */ - r = dns_name_parent(&name); - if (r < 0) - return r; - if (r == 0) - return true; - } - /* For all other RRs we check the DS on the same level to see * if it's signed. */ |