git.ipfire.org Git - thirdparty/systemd.git/commit

author	Ronan Pigott <ronan@rjp.ie>
	Sat, 21 Feb 2026 01:51:35 +0000 (18:51 -0700)
committer	Ronan Pigott <ronan@rjp.ie>
	Mon, 23 Mar 2026 20:06:19 +0000 (13:06 -0700)
commit	053f4f1dbc94aa5a2d1004ac90f2401658ab8b6c
tree	0ed6ae4336fa3fda783fb083a80e0e17a23b19f0	tree \| snapshot
parent	bd7ba0a645fe94ba54660eefd0044bc1a9b0dee6	commit \| diff

resolved: resolve insecure answers with unsupported sig algorithms

sd-resolved does not support all the permissible DNSSEC signature
algorithms, and some are intentionally unsupported as a matter of
policy. Answers that can only be validated via unsupported algorithms
should be treated as if they were unsigned, per RFC4035§5.2.

Previously, sd-resolved tried to properly record insecure answers for
unsupported algortihms, but did not record this status for each of the
auxilliary DNSSEC transactions, so the primary transaction had no way to
know if there was a plausible DNSKEY with an unsupported signature
algorithm in the chain of trust.

This commit adds the insecure DNSKEYs that use unsupported algorithms to
the list of validated keys for each transaction, so that dependent
transactions can learn that a plausible chain of trust exists, even if
no authenticated one does, and report the insecure answer.

src/resolve/resolved-dns-dnssec.c		diff \| blob \| blame \| history
src/resolve/resolved-dns-transaction.c		diff \| blob \| blame \| history