summaryrefslogtreecommitdiff
path: root/src/resolve
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2017-02-14 17:54:30 +0100
committerLennart Poettering <lennart@poettering.net>2017-02-17 10:25:15 +0100
commit97c2ea26456f21334ac164f330426dd518067f08 (patch)
treec05033074c13f36be9c7e53d8f39f18d2785b9c6 /src/resolve
parentc775838ad7a1f33dcd2f1fac01d1a805bb96bc1f (diff)
resolved: fix NSEC proofs for missing TLDs
For the wildcard NSEC check we need to generate an "asterisk" domain, by prepend the common ancestor with "*.". So far we did that with a simple strappenda() which is fine for most domains, but doesn't work if the common ancestor is the root domain as we usually write that as "." in normalized form, and "*." joined with "." is "*.." and not "*." as it should be. Hence, use the clean way out, let's just use dns_name_concat() which only exists precisely for this reason, to properly concatenate labels. There's a good chance this actually fixes #5029, as this NSEC proof is triggered by lookups in the TLD "example", which doesn't exist in the Internet.
Diffstat (limited to 'src/resolve')
-rw-r--r--src/resolve/resolved-dns-dnssec.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
index 51327105d0..eddab58a81 100644
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@@ -1710,7 +1710,8 @@ static int dnssec_nsec_covers(DnsResourceRecord *rr, const char *name) {
}
static int dnssec_nsec_covers_wildcard(DnsResourceRecord *rr, const char *name) {
- const char *common_suffix, *wc;
+ _cleanup_free_ char *wc = NULL;
+ const char *common_suffix;
int r;
assert(rr);
@@ -1734,7 +1735,10 @@ static int dnssec_nsec_covers_wildcard(DnsResourceRecord *rr, const char *name)
if (r <= 0)
return r;
- wc = strjoina("*.", common_suffix);
+ r = dns_name_concat("*", common_suffix, &wc);
+ if (r < 0)
+ return r;
+
return dns_name_between(dns_resource_key_name(rr->key), wc, rr->nsec.next_domain_name);
}