resolved: handle RRs where we don't have a signer

If we encounter an RR that has no matching signature, then we don't know
whether it was expanded from a wildcard or not. We need to accept that
and not make the NSEC test fail, just skip over the RR.

diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
index 5a4f5c58b6b354e399022e84b6a7f4d3a560333b..5a01d49dee32fe91b959dd8e4bd15187a91121c0 100644 (file)
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@@ -1813,6 +1813,8 @@ int dnssec_nsec_test(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *r
 
                 /* The following checks only make sense for NSEC RRs that are not expanded from a wildcard */
                 r = dns_resource_record_is_synthetic(rr);
+                if (r == -ENODATA) /* No signing RR known. */
+                        continue;
                 if (r < 0)
                         return r;
                 if (r > 0)