resolved: try to authenticate SOA on negative replies

For caching negative replies we need the SOA TTL information. Hence,
let's authenticate all auxiliary SOA RRs through DS requests on all
negative requests.

diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
index 532169ff249a215d6a9bdeb3f1f3eed0654aae9d..ecd70686836b98ceac5d7628cda347fb70ed255b 100644 (file)
--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
@@ -2009,8 +2009,18 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) {
                         r = dns_resource_key_match_rr(t->key, rr, NULL);
                         if (r < 0)
                                 return r;
-                        if (r == 0)
-                                continue;
+                        if (r == 0) {
+                                /* Hmm, so this SOA RR doesn't match our original question. In this case, maybe this is
+                                 * a negative reply, and we need the a SOA RR's TTL in order to cache a negative entry?
+                                 * If so, we need to validate it, too. */
+
+                                r = dns_answer_match_key(t->answer, t->key, NULL);
+                                if (r < 0)
+                                        return r;
+                                if (r > 0) /* positive reply, we won't need the SOA and hence don't need to validate
+                                            * it. */
+                                        continue;
+                        }
 
                         r = dnssec_has_rrsig(t->answer, rr->key);
                         if (r < 0)