diff options
author | Lennart Poettering <lennart@poettering.net> | 2015-12-18 20:09:30 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2015-12-18 20:09:30 +0100 |
commit | 019036a47fcd10fcf0286800d144c706f3773e2f (patch) | |
tree | 77f62fa9d00461c3299ad0d1fafe555414726d18 /src/resolve/resolved-dns-transaction.c | |
parent | 3bbdc31df37a23b5134a115c01d15e7ff870b3cc (diff) |
resolved: propagate the DNSSEC result from the transaction to the query and the the bus client
It's useful to generate useful errors, so let's do that.
Diffstat (limited to 'src/resolve/resolved-dns-transaction.c')
-rw-r--r-- | src/resolve/resolved-dns-transaction.c | 30 |
1 files changed, 15 insertions, 15 deletions
diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c index 893ffa9ffe..9a4dcfd74a 100644 --- a/src/resolve/resolved-dns-transaction.c +++ b/src/resolve/resolved-dns-transaction.c @@ -129,7 +129,7 @@ int dns_transaction_new(DnsTransaction **ret, DnsScope *s, DnsResourceKey *key) t->dns_udp_fd = -1; t->answer_source = _DNS_TRANSACTION_SOURCE_INVALID; - t->dnssec_result = _DNSSEC_RESULT_INVALID; + t->answer_dnssec_result = _DNSSEC_RESULT_INVALID; t->key = dns_resource_key_ref(key); /* Find a fresh, unused transaction id */ @@ -463,7 +463,7 @@ static void dns_transaction_process_dnssec(DnsTransaction *t) { return; } - if (!IN_SET(t->dnssec_result, + if (!IN_SET(t->answer_dnssec_result, _DNSSEC_RESULT_INVALID, /* No DNSSEC validation enabled */ DNSSEC_VALIDATED, /* Answer is signed and validated successfully */ DNSSEC_UNSIGNED)) { /* Answer is right-fully unsigned */ @@ -1611,7 +1611,7 @@ void dns_transaction_notify(DnsTransaction *t, DnsTransaction *source) { return; fail: - t->dnssec_result = DNSSEC_FAILED_AUXILIARY; + t->answer_dnssec_result = DNSSEC_FAILED_AUXILIARY; dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED); } @@ -1852,12 +1852,12 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) { return 0; /* Already validated */ - if (t->dnssec_result != _DNSSEC_RESULT_INVALID) + if (t->answer_dnssec_result != _DNSSEC_RESULT_INVALID) return 0; /* Our own stuff needs no validation */ if (IN_SET(t->answer_source, DNS_TRANSACTION_ZONE, DNS_TRANSACTION_TRUST_ANCHOR)) { - t->dnssec_result = DNSSEC_VALIDATED; + t->answer_dnssec_result = DNSSEC_VALIDATED; t->answer_authenticated = true; return 0; } @@ -1950,7 +1950,7 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) { * to our question, and it * failed validation. That's * fatal. */ - t->dnssec_result = result; + t->answer_dnssec_result = result; return 0; } @@ -1999,12 +1999,12 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) { if (flags & DNS_ANSWER_AUTHENTICATED) { /* The answer is fully authenticated, yay. */ - t->dnssec_result = DNSSEC_VALIDATED; + t->answer_dnssec_result = DNSSEC_VALIDATED; t->answer_rcode = DNS_RCODE_SUCCESS; t->answer_authenticated = true; } else { /* The answer is not fully authenticated. */ - t->dnssec_result = DNSSEC_UNSIGNED; + t->answer_dnssec_result = DNSSEC_UNSIGNED; t->answer_authenticated = false; } @@ -2021,7 +2021,7 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) { case DNSSEC_NSEC_NXDOMAIN: /* NSEC proves the domain doesn't exist. Very good. */ log_debug("Proved NXDOMAIN via NSEC/NSEC3 for transaction %u (%s)", t->id, dns_transaction_key_string(t)); - t->dnssec_result = DNSSEC_VALIDATED; + t->answer_dnssec_result = DNSSEC_VALIDATED; t->answer_rcode = DNS_RCODE_NXDOMAIN; t->answer_authenticated = true; break; @@ -2029,7 +2029,7 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) { case DNSSEC_NSEC_NODATA: /* NSEC proves that there's no data here, very good. */ log_debug("Proved NODATA via NSEC/NSEC3 for transaction %u (%s)", t->id, dns_transaction_key_string(t)); - t->dnssec_result = DNSSEC_VALIDATED; + t->answer_dnssec_result = DNSSEC_VALIDATED; t->answer_rcode = DNS_RCODE_SUCCESS; t->answer_authenticated = true; break; @@ -2037,7 +2037,7 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) { case DNSSEC_NSEC_OPTOUT: /* NSEC3 says the data might not be signed */ log_debug("Data is NSEC3 opt-out via NSEC/NSEC3 for transaction %u (%s)", t->id, dns_transaction_key_string(t)); - t->dnssec_result = DNSSEC_UNSIGNED; + t->answer_dnssec_result = DNSSEC_UNSIGNED; t->answer_authenticated = false; break; @@ -2048,9 +2048,9 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) { if (r < 0) return r; if (r > 0) - t->dnssec_result = DNSSEC_NO_SIGNATURE; + t->answer_dnssec_result = DNSSEC_NO_SIGNATURE; else { - t->dnssec_result = DNSSEC_UNSIGNED; + t->answer_dnssec_result = DNSSEC_UNSIGNED; t->answer_authenticated = false; } @@ -2058,12 +2058,12 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) { case DNSSEC_NSEC_UNSUPPORTED_ALGORITHM: /* We don't know the NSEC3 algorithm used? */ - t->dnssec_result = DNSSEC_UNSUPPORTED_ALGORITHM; + t->answer_dnssec_result = DNSSEC_UNSUPPORTED_ALGORITHM; break; case DNSSEC_NSEC_FOUND: /* NSEC says it needs to be there, but we couldn't find it? Bummer! */ - t->dnssec_result = DNSSEC_NSEC_MISMATCH; + t->answer_dnssec_result = DNSSEC_NSEC_MISMATCH; break; default: |