resolved: use the SOA to find chain of trust quicker

sd-resolved does dnssec "backwards" compared to most resolvers.

A typical strategy is to start from the DNS root and gather the
requisite keys on the way down, but sd-resolved requests the final
answer it wants and then goes searching for the requisite keys later.

We don't know in advance under which names we should expect to find
those keys, because we don't know the zone cuts a priori, but we can use
what we have found in prior responses to make an educated guess. This
was more or less the intent of 47690634f157, but it was partially
regressed in d840783db520 while fixing a bug handling totally empty
responses.

Fixes #37472

Ref: 47690634f157 ("resolved: don't request the SOA for every dns label")
Fixes: d840783db520 ("resolved: always progress DS queries")

diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
index 1a786ccf270b200d5a488f60e088369a431f750e..a320825d0d5a3de7fb80483845d9f3fcc9a73c4f 100644 (file)
--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
@@ -2621,7 +2621,10 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) {
                                         continue;
 
                                 /* If we were looking for the DS RR, don't request it again. */
-                                if (dns_transaction_key(t)->type == DNS_TYPE_DS)
+                                r = dns_name_equal(dns_resource_key_name(dns_transaction_key(t)), dns_resource_key_name(rr->key));
+                                if (r < 0)
+                                        return r;
+                                if (r > 0 && dns_transaction_key(t)->type == DNS_TYPE_DS)
                                         continue;
                         }