resolved: only attempt non-answer SOA RRs if they are parents of our query

There's no value in authenticating SOA RRs that are neither answer to
our question nor parent of our question (the latter being relevant so
that we have a TTL from the SOA field for negative caching of the actual
query).

By being to eager here, and trying to authenticate too much we run the
risk of creating cyclic deps between our transactions which then causes
the over-all authentication to fail.

Fixes: #9771

diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
index cc748ac95eac03118e0c5935e26727a8c1cb3e86..30f798df36279ba6c86465d3937aafceafd488ba 100644 (file)
--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
@@ -2142,6 +2142,14 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) {
                                 if (r > 0) /* positive reply, we won't need the SOA and hence don't need to validate
                                             * it. */
                                         continue;
+
+                                /* Only bother with this if the SOA/NS RR we are looking at is actually a parent of
+                                 * what we are looking for, otherwise there's no value in it for us. */
+                                r = dns_name_endswith(dns_resource_key_name(t->key), dns_resource_key_name(rr->key));
+                                if (r < 0)
+                                        return r;
+                                if (r == 0)
+                                        continue;
                         }
 
                         r = dnssec_has_rrsig(t->answer, rr->key);