summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2016-01-13 02:26:23 +0100
committerLennart Poettering <lennart@poettering.net>2016-01-13 20:21:56 +0100
commit7160eb1b867a4bc64522287352fbe2a6aa687d2a (patch)
tree2c92f74f008e279d45e1f570f5fddf90c3b7b327
parent7715f91dca0ce4622daf8beab582d57ec49d005e (diff)
resolved: properly handles RRs in domains beginning in an asterisk label
Properly handle RRs that begin with an asterisk label. These are the unexpanded forms of wildcard domains and appear in NSEC RRs for example. We need to make sure we handle the signatures of these RRs properly, since they mostly are considered normal RRs, except that the RRSIG labels counter is one off for them, as the asterisk label is always excluded of the signature.
-rw-r--r--src/resolve/resolved-dns-dnssec.c13
1 files changed, 12 insertions, 1 deletions
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
index 8dfb5edbc0..a18ae56b9e 100644
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@@ -548,7 +548,18 @@ int dnssec_verify_rrset(
r = dns_name_suffix(DNS_RESOURCE_KEY_NAME(key), rrsig->rrsig.labels, &source);
if (r < 0)
return r;
- wildcard = r > 0;
+ if (r == 1) {
+ /* If we stripped a single label, then let's see if that maybe was "*". If so, we are not really
+ * synthesized from a wildcard, we are the wildcard itself. Treat that like a normal name. */
+ r = dns_name_startswith(DNS_RESOURCE_KEY_NAME(key), "*");
+ if (r < 0)
+ return r;
+ if (r > 0)
+ source = DNS_RESOURCE_KEY_NAME(key);
+
+ wildcard = r == 0;
+ } else
+ wildcard = r > 0;
/* Collect all relevant RRs in a single array, so that we can look at the RRset */
list = newa(DnsResourceRecord *, dns_answer_size(a));