resolved: some RR types may appear only or not at all in a zone apex

Add extra checks when validating with RRSIGs. This follows recommendations from: http://www.george-barwood.pwp.blueyonder.co.uk/DnsServer/NotesOnDNSSSEC.htm
author: Lennart Poettering <lennart@poettering.net> 2016-01-14 17:25:06 +0100
committer: Lennart Poettering <lennart@poettering.net> 2016-01-17 20:44:25 +0100
commit: 588c53d0441ee33b617582429434b47492f51744 (patch)
tree: c5d91bae40f4a45d295a7d350e4cb4677c274bed /src/resolve/dns-type.c
parent: 3d39e6e5d475461c20d0300da80ff8cae5780ccf (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/src/resolve/dns-type.c b/src/resolve/dns-type.c
index 47a37fa0a7..058d14009a 100644
--- a/src/resolve/dns-type.c
+++ b/src/resolve/dns-type.c
@@ -135,6 +135,17 @@ bool dns_type_may_wildcard(uint16_t type) {
                        DNS_TYPE_DNAME);
 }
 
+bool dns_type_apex_only(uint16_t type) {
+
+        /* Returns true for all RR types that may only appear signed in a zone apex */
+
+        return IN_SET(type,
+                      DNS_TYPE_SOA,
+                      DNS_TYPE_NS,            /* this one can appear elsewhere, too, but not signed */
+                      DNS_TYPE_DNSKEY,
+                      DNS_TYPE_NSEC3PARAM);
+}
+
 bool dns_type_is_dnssec(uint16_t type) {
         return IN_SET(type,
                       DNS_TYPE_DS,
author	Lennart Poettering <lennart@poettering.net>	2016-01-14 17:25:06 +0100
committer	Lennart Poettering <lennart@poettering.net>	2016-01-17 20:44:25 +0100
commit	588c53d0441ee33b617582429434b47492f51744 (patch)
tree	c5d91bae40f4a45d295a7d350e4cb4677c274bed /src/resolve/dns-type.c
parent	3d39e6e5d475461c20d0300da80ff8cae5780ccf (diff)