git.ipfire.org Git - thirdparty/systemd.git/commit - src/resolve/resolved-dns-dnssec.c

author	Lennart Poettering <lennart@poettering.net>
	Fri, 11 Dec 2015 12:55:26 +0000 (13:55 +0100)
committer	Lennart Poettering <lennart@poettering.net>
	Fri, 11 Dec 2015 13:14:27 +0000 (14:14 +0100)
commit	203f1b35d962bab3c67ecf57ce6bd9ec87bf7078
tree	56a31af821e5be67ac8b721d0107cab93f0303f2	tree \| snapshot
parent	79e249313887840e0fc52f69afc0daeed754bff1	commit \| diff

resolved: rework dnssec validation results

This adds a new validation result DNSSEC_UNSUPPORTED_ALGORITHM which is
returned when we encounter an unsupported crypto algorithm when trying
to validate RRSIG/DNSKEY combinations. Previously we'd return ENOTSUPP
in this case, but it's better to consider this a non-error DNSSEC
validation result, since our reaction to this case needs to be more like
in cases such as expired or missing keys: we need to keep continue
validation looking for another RRSIG/DNSKEY combination that works
better for us.

This also reworks how dnssec_validate_rrsig_search() propagates errors
from dnssec_validate_rrsig(). Previously, errors such as unsupported
algorithms or expired signatures would not be propagated, but simply be
returned as "missing-key".

src/resolve/resolved-dns-dnssec.c		diff \| blob \| blame \| history
src/resolve/resolved-dns-dnssec.h		diff \| blob \| blame \| history