diff options
author | Lennart Poettering <lennart@poettering.net> | 2017-02-08 19:22:49 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2017-02-09 16:13:07 +0100 |
commit | 28830a64102ce7943a1461a916b12b0064bab03a (patch) | |
tree | 1f38eda28a74befcdc8cbb6c3b53918ab2b24369 /src/resolve/resolved-dns-query.c | |
parent | e8d23f92b50a97bb31f1222611a799e176919c2f (diff) |
resolved: when following a CNAME initialize authenticated bit by the weakest answer
When following a CNAME chain, don't set the authenticated bit, unless
all lookups in the chain could be authenticated.
Diffstat (limited to 'src/resolve/resolved-dns-query.c')
-rw-r--r-- | src/resolve/resolved-dns-query.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c index 39fb213cbc..c58845c3b6 100644 --- a/src/resolve/resolved-dns-query.c +++ b/src/resolve/resolved-dns-query.c @@ -1029,6 +1029,9 @@ int dns_query_process_cname(DnsQuery *q) { if (q->flags & SD_RESOLVED_NO_CNAME) return -ELOOP; + if (!q->answer_authenticated) + q->previous_redirect_unauthenticated = true; + /* OK, let's actually follow the CNAME */ r = dns_query_cname_redirect(q, cname); if (r < 0) @@ -1116,3 +1119,9 @@ const char *dns_query_string(DnsQuery *q) { return dns_question_first_name(q->question_idna); } + +bool dns_query_fully_authenticated(DnsQuery *q) { + assert(q); + + return q->answer_authenticated && !q->previous_redirect_unauthenticated; +} |