From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 11 Jan 2016 19:15:28 +0000 (+0100)
Subject: resolved: don#t allow explicit queries for RRSIG RRs
X-Git-Tag: v229~151^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=04680e36a490fe9db1a5245ba9586efd8e8284dc;p=thirdparty%2Fsystemd.git

resolved: don#t allow explicit queries for RRSIG RRs

We wouldn't know how to validate them, since they are the signatures, and hence have no signatures.
---

diff --git a/src/resolve/dns-type.c b/src/resolve/dns-type.c
index 2522374c339..fb8228048da 100644
--- a/src/resolve/dns-type.c
+++ b/src/resolve/dns-type.c
@@ -77,7 +77,13 @@ bool dns_type_is_valid_query(uint16_t type) {
                        0,
                        DNS_TYPE_OPT,
                        DNS_TYPE_TSIG,
-                       DNS_TYPE_TKEY);
+                       DNS_TYPE_TKEY,
+
+                       /* RRSIG are technically valid as questions, but we refuse doing explicit queries for them, as
+                        * they aren't really payload, but signatures for payload, and cannot be validated on their
+                        * own. After all they are the signatures, and have no signatures of their own validating
+                        * them. */
+                       DNS_TYPE_RRSIG);
 }
 
 bool dns_type_is_valid_rr(uint16_t type) {