From: Zbigniew Jędrzejewski-Szmek <zbyszek@amutable.com>
Date: Wed, 25 Mar 2026 09:38:08 +0000 (+0100)
Subject: resolved: resolve insecure answers with unsupported sig algorithms (#40778)
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2e31b9eb29e041a86912d9bc2ac01a3dcbb8acdd;p=thirdparty%2Fsystemd.git

resolved: resolve insecure answers with unsupported sig algorithms (#40778)

sd-resolved does not support all the permissible DNSSEC signature
algorithms, and some are intentionally unsupported as a matter of
policy. Answers that can only be validated via unsupported algorithms
should be treated as if they were unsigned, per RFC4035 § 5.2.

Previously, sd-resolved tried to properly record insecure answers for
unsupported algortihms, but did not record this status for each of the
auxilliary DNSSEC transactions, so the primary transaction had no way to
know if there was a plausible DNSKEY with an unsupported signature
algorithm in the chain of trust.

This commit adds the insecure DNSKEYs that use unsupported algorithms to
the list of validated keys for each transaction, so that dependent
transactions can learn that a plausible chain of trust exists, even if
no authenticated one does, and report the insecure answer.

This should improve the situation in #35126.
---

2e31b9eb29e041a86912d9bc2ac01a3dcbb8acdd