git.ipfire.org Git - thirdparty/systemd.git/commit - src/resolve/resolved-dns-transaction.c

resolved: explicitly handle case when the trust anchor is empty

Since we honour RFC5011 revoked keys it might happen we end up with an
empty trust anchor, or one where there's no entry for the root left.
With this patch the logic is changed what to do in this case.

Before this patch we'd end up requesting the root DS, which returns with
NODATA but a signed NSEC we cannot verify, since the trust anchor is
empty after all. Thus we'd return a DNSSEC result of "missing-key", as
we lack a verified version of the key.

With this patch in place, look-ups for the root DS are explicitly
recognized, and not passed on to the DNS servers. Instead, if
downgrade-ok mode is on an unsigned NODATA response is synthesized, so
that the validator code continues under the assumption the root zone was
unsigned. If downgrade-ok mode is off a new transaction failure is
generated, that makes this case recognizable.

author	Lennart Poettering <lennart@poettering.net>
	Mon, 4 Jan 2016 21:35:54 +0000 (22:35 +0100)
committer	Lennart Poettering <lennart@poettering.net>
	Mon, 4 Jan 2016 21:42:10 +0000 (22:42 +0100)
commit	b2b796b8ab5565fbe60b544d2579e2bfca31bf6a
tree	b06a7484dcc2fb4cfa0de22880fe048a9104c5ba	tree \| snapshot
parent	a761c1ca851a9397b5a207ef600e077d0f7f4534	commit \| diff

src/libsystemd/sd-bus/bus-common-errors.h		diff \| blob \| blame \| history
src/resolve/resolved-bus.c		diff \| blob \| blame \| history
src/resolve/resolved-dns-transaction.c		diff \| blob \| blame \| history
src/resolve/resolved-dns-transaction.h		diff \| blob \| blame \| history