summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2017-02-15 20:05:27 +0100
committerLennart Poettering <lennart@poettering.net>2017-02-17 10:25:16 +0100
commit6993d26469ca8deee0eea2b806b3c415deaa2e25 (patch)
treea9d1a4fdae3f59684d8011322caf291c1b938d65
parent74a3ed740824a4ead40a733ee27f3ac236aa9f8e (diff)
resolved: try to authenticate SOA on negative replies
For caching negative replies we need the SOA TTL information. Hence, let's authenticate all auxiliary SOA RRs through DS requests on all negative requests.
-rw-r--r--src/resolve/resolved-dns-transaction.c14
1 files changed, 12 insertions, 2 deletions
diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
index 532169ff24..ecd7068683 100644
--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
@@ -2009,8 +2009,18 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) {
r = dns_resource_key_match_rr(t->key, rr, NULL);
if (r < 0)
return r;
- if (r == 0)
- continue;
+ if (r == 0) {
+ /* Hmm, so this SOA RR doesn't match our original question. In this case, maybe this is
+ * a negative reply, and we need the a SOA RR's TTL in order to cache a negative entry?
+ * If so, we need to validate it, too. */
+
+ r = dns_answer_match_key(t->answer, t->key, NULL);
+ if (r < 0)
+ return r;
+ if (r > 0) /* positive reply, we won't need the SOA and hence don't need to validate
+ * it. */
+ continue;
+ }
r = dnssec_has_rrsig(t->answer, rr->key);
if (r < 0)