resolved: try a different server if server is too dumb to do DNSSEC

If we are in strict DNSSEC mode it's worthy to try a different DNS
server before accepting that DNSSEC is not actually supported.

Fixes: #7040

diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
index 0388b5e07695f56dd749cd471d6c442a9bcb9556..f4bbde02193e321ec9a3d29ea1bd3c0797d764d6 100644 (file)
--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
@@ -739,8 +739,17 @@ static void dns_transaction_process_dnssec(DnsTransaction *t) {
 
         if (t->answer_dnssec_result == DNSSEC_INCOMPATIBLE_SERVER &&
             t->scope->dnssec_mode == DNSSEC_YES) {
-                /*  We are not in automatic downgrade mode, and the
-                 *  server is bad, refuse operation. */
+
+                /*  We are not in automatic downgrade mode, and the server is bad. Let's try a different server, maybe
+                 *  that works. */
+
+                if (t->n_picked_servers < dns_scope_get_n_dns_servers(t->scope)) {
+                        /* We tried fewer servers on this transaction than we know, let's try another one then */
+                        dns_transaction_retry(t, true);
+                        return;
+                }
+
+                /* OK, let's give up, apparently all servers we tried didn't work. */
                 dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
                 return;
         }