]> git.ipfire.org Git - thirdparty/systemd.git/commitdiff
resolved: fix DNSSEC `missing-key` error
authorFabian Möller <fabianm88@gmail.com>
Wed, 22 Jan 2025 12:33:12 +0000 (13:33 +0100)
committerYu Watanabe <watanabe.yu+github@gmail.com>
Sat, 8 Feb 2025 06:51:06 +0000 (15:51 +0900)
Skip unsupport/invalid `DS` and `DNSKEY` combinations during verification.

Fixes: #12545
(cherry picked from commit cac3b43eee83829d68ebf7d4786ebc32e62fe813)

src/resolve/resolved-dns-dnssec.c

index 09cc2cb7313471556e8bab1f2441f6e4e9845b79..6d32b2d798eef04a0bba06c1eaac3c4b3254f021 100644 (file)
@@ -1473,7 +1473,7 @@ int dnssec_verify_dnskey_by_ds_search(DnsResourceRecord *dnskey, DnsAnswer *vali
 
                 r = dnssec_verify_dnskey_by_ds(dnskey, ds, false);
                 if (IN_SET(r, -EKEYREJECTED, -EOPNOTSUPP))
-                        return 0; /* The DNSKEY is revoked or otherwise invalid, or we don't support the digest algorithm */
+                        continue; /* The DNSKEY is revoked or otherwise invalid, or we don't support the digest algorithm */
                 if (r < 0)
                         return r;
                 if (r > 0)