diff options
author | Lennart Poettering <lennart@poettering.net> | 2016-01-03 17:56:50 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2016-01-03 17:56:50 +0100 |
commit | 28b8191e2f391f043d380d47eb79ed9ff66f14bd (patch) | |
tree | e06b5d74a6f15fe487ff96439eeb93b91fd561f2 | |
parent | 1d3db294fca96fff0a7f8cff4eeeb42460ac21ac (diff) |
resolved: never authenticate RRsets with revoked keys
-rw-r--r-- | src/resolve/resolved-dns-dnssec.c | 2 | ||||
-rw-r--r-- | src/resolve/resolved-dns-rr.h | 3 |
2 files changed, 4 insertions, 1 deletions
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c index 6e6e62b132..606d681779 100644 --- a/src/resolve/resolved-dns-dnssec.c +++ b/src/resolve/resolved-dns-dnssec.c @@ -671,6 +671,8 @@ int dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnske return 0; if ((dnskey->dnskey.flags & DNSKEY_FLAG_ZONE_KEY) == 0) return 0; + if ((dnskey->dnskey.flags & DNSKEY_FLAG_REVOKE)) + return 0; if (dnskey->dnskey.protocol != 3) return 0; if (dnskey->dnskey.algorithm != rrsig->rrsig.algorithm) diff --git a/src/resolve/resolved-dns-rr.h b/src/resolve/resolved-dns-rr.h index 90c3629166..72bded7d48 100644 --- a/src/resolve/resolved-dns-rr.h +++ b/src/resolve/resolved-dns-rr.h @@ -34,8 +34,9 @@ typedef struct DnsResourceRecord DnsResourceRecord; typedef struct DnsTxtItem DnsTxtItem; /* DNSKEY RR flags */ -#define DNSKEY_FLAG_ZONE_KEY (UINT16_C(1) << 8) #define DNSKEY_FLAG_SEP (UINT16_C(1) << 0) +#define DNSKEY_FLAG_REVOKE (UINT16_C(1) << 7) +#define DNSKEY_FLAG_ZONE_KEY (UINT16_C(1) << 8) /* mDNS RR flags */ #define MDNS_RR_CACHE_FLUSH (UINT16_C(1) << 15) |