diff options
| author | Lennart Poettering <lennart@poettering.net> | 2016-01-15 02:21:22 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2016-01-17 20:47:46 +0100 |
| commit | ab481675f98d3d3f12e7e48ba6d2159123b9c7bf (patch) | |
| tree | 52a0faf980bd886b7ccb9cbb98a67e6be38c5935 /src/resolve/resolved-dns-rr.c | |
| parent | d86c982a3476bcff39a196868c835309c7a6c7fc (diff) | |
resolved: complete NSEC non-existance proofs
This fills in the last few gaps:
- When checking if a domain is non-existing, also check that no wildcard for it exists
- Ensure we don't base "covering" tests on NSEC RRs from a parent zone
- Refuse to accept expanded wildcard NSEC RRs for absence proofs.
Diffstat (limited to 'src/resolve/resolved-dns-rr.c')
| -rw-r--r-- | src/resolve/resolved-dns-rr.c | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/src/resolve/resolved-dns-rr.c b/src/resolve/resolved-dns-rr.c index 53fd708365..02c6b239d5 100644 --- a/src/resolve/resolved-dns-rr.c +++ b/src/resolve/resolved-dns-rr.c @@ -1136,6 +1136,8 @@ int dns_resource_record_is_signer(DnsResourceRecord *rr, const char *zone) { const char *signer; int r; + assert(rr); + r = dns_resource_record_signer(rr, &signer); if (r < 0) return r; @@ -1143,6 +1145,29 @@ int dns_resource_record_is_signer(DnsResourceRecord *rr, const char *zone) { return dns_name_equal(zone, signer); } +int dns_resource_record_is_synthetic(DnsResourceRecord *rr) { + int r; + + assert(rr); + + /* Returns > 0 if the RR is generated from a wildcard, and is not the asterisk name itself */ + + if (rr->n_skip_labels_source == (unsigned) -1) + return -ENODATA; + + if (rr->n_skip_labels_source == 0) + return 0; + + if (rr->n_skip_labels_source > 1) + return 1; + + r = dns_name_startswith(DNS_RESOURCE_KEY_NAME(rr->key), "*"); + if (r < 0) + return r; + + return !r; +} + static void dns_resource_record_hash_func(const void *i, struct siphash *state) { const DnsResourceRecord *rr = i; |