From: Ronan Pigott <ronan@rjp.ie>
Date: Tue, 30 Apr 2024 20:19:14 +0000 (-0700)
Subject: resolved: validate authentic insecure delegation to CNAME
X-Git-Tag: v256-rc2~128
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=414a9b8e5e1e772261b0ffaedc853f5c0aba5719;p=thirdparty%2Fsystemd.git

resolved: validate authentic insecure delegation to CNAME

If the parent zone uses a non-opt-out method that provides authenticated
negative DS replies, we still can't expect signatures from the child
zone. sd-resolved was using the authenticated status of the DS reply to
require signatures for CNAMEs, even though it had already proved that no
signature exists.

Fixes: 47690634f157 ("resolved: don't request the SOA for every dns label")
---

diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
index 32b49807155..92ac0752fec 100644
--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
@@ -2936,7 +2936,12 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *
                         if (r == 0)
                                 continue;
 
-                        return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
+                        if (!FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
+                                return false;
+
+                        /* We expect this to be signed when the DS record exists, and don't expect it to be
+                         * signed when the DS record is proven not to exist. */
+                        return dns_answer_match_key(dt->answer, dns_transaction_key(dt), NULL);
                 }
 
                 return true;