diff options
| author | Tom Gundersen <teg@jklm.no> | 2016-01-14 17:02:57 +0100 | 
|---|---|---|
| committer | Tom Gundersen <teg@jklm.no> | 2016-01-14 17:02:57 +0100 | 
| commit | becc96b7264a7f56dc2024bb3000cd179526c43e (patch) | |
| tree | 7ceafc37af826fb969b0f706778978446a60c0a1 /src/resolve/resolved-dns-transaction.c | |
| parent | deebd4d26f42e837ed57f6e9ccbe99dfe0e7f6d6 (diff) | |
| parent | 81ec9e0887ef12bebd36d48f10372cf003df5d38 (diff) | |
Merge pull request #2316 from poettering/dnssec14
Fourteenth DNSSEC PR
Diffstat (limited to 'src/resolve/resolved-dns-transaction.c')
| -rw-r--r-- | src/resolve/resolved-dns-transaction.c | 26 | 
1 files changed, 11 insertions, 15 deletions
| diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c index 9ee10f21c8..c7d2d82ecf 100644 --- a/src/resolve/resolved-dns-transaction.c +++ b/src/resolve/resolved-dns-transaction.c @@ -2531,28 +2531,24 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) {                          if (result == DNSSEC_VALIDATED_WILDCARD) {                                  bool authenticated = false; -                                const char *suffix; +                                const char *source; -                                /* This RRset validated, but as a wildcard. This means we need to proof via NSEC/NSEC3 -                                 * that no matching non-wildcard RR exists. -                                 * -                                 * See RFC 5155, Section 8.8 and RFC 4035, Section 5.3.4*/ +                                /* This RRset validated, but as a wildcard. This means we need to prove via NSEC/NSEC3 +                                 * that no matching non-wildcard RR exists.*/ -                                r = dns_name_suffix(DNS_RESOURCE_KEY_NAME(rr->key), rrsig->rrsig.labels, &suffix); +                                /* First step, determine the source of synthesis */ +                                r = dns_name_suffix(DNS_RESOURCE_KEY_NAME(rr->key), rrsig->rrsig.labels, &source);                                  if (r < 0)                                          return r;                                  if (r == 0)                                          return -EBADMSG; -                                r = dns_name_parent(&suffix); -                                if (r < 0) -                                        return r; -                                if (r == 0) -                                        return -EBADMSG; - -                                r = dnssec_nsec_test_between(validated, DNS_RESOURCE_KEY_NAME(rr->key), suffix, &authenticated); -                                if (r < 0) -                                        return r; +                                r = dnssec_test_positive_wildcard( +                                                validated, +                                                DNS_RESOURCE_KEY_NAME(rr->key), +                                                source, +                                                rrsig->rrsig.signer, +                                                &authenticated);                                  /* Unless the NSEC proof showed that the key really doesn't exist something is off. */                                  if (r == 0) | 
