We need to check for parent domains too. We did this correctly for the
system-wide NTA list, but not for the per-link one. Let's fix that.
if (!t->scope->link)
return 0;
- return set_contains(t->scope->link->dnssec_negative_trust_anchors, name);
+ return link_negative_trust_anchor_lookup(t->scope->link, name);
}
static int dns_transaction_has_unsigned_negative_answer(DnsTransaction *t) {
(void) unlink(l->state_file);
}
+
+bool link_negative_trust_anchor_lookup(Link *l, const char *name) {
+ int r;
+
+ assert(l);
+ assert(name);
+
+ /* Checks whether the specified domain (or any of its parent domains) are listed as per-link NTA. */
+
+ for (;;) {
+ if (set_contains(l->dnssec_negative_trust_anchors, name))
+ return true;
+
+ /* And now, let's look at the parent, and check that too */
+ r = dns_name_parent(&name);
+ if (r < 0)
+ return r;
+ if (r == 0)
+ break;
+ }
+
+ return false;
+}
bool link_address_relevant(LinkAddress *l, bool local_multicast);
void link_address_add_rrs(LinkAddress *a, bool force_remove);
+bool link_negative_trust_anchor_lookup(Link *l, const char *name);
+
DEFINE_TRIVIAL_CLEANUP_FUNC(Link*, link_free);
projects / thirdparty / systemd.git / commitdiff
