From: Lennart Poettering Date: Tue, 17 Nov 2020 17:31:53 +0000 (+0100) Subject: resolved: properly check per-link NTA list X-Git-Tag: v247.2~41 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=10f2cfb71595ea02e0597b5de0d8662ed36c51ed;p=thirdparty%2Fsystemd.git resolved: properly check per-link NTA list We need to check for parent domains too. We did this correctly for the system-wide NTA list, but not for the per-link one. Let's fix that. (cherry picked from commit 7e8a93b77c3c4d4df1e8c3177dc9553c94fac759) --- diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c index 1b8bead7c35..645808e80fe 100644 --- a/src/resolve/resolved-dns-transaction.c +++ b/src/resolve/resolved-dns-transaction.c @@ -1889,7 +1889,7 @@ static int dns_transaction_negative_trust_anchor_lookup(DnsTransaction *t, const if (!t->scope->link) return 0; - return set_contains(t->scope->link->dnssec_negative_trust_anchors, name); + return link_negative_trust_anchor_lookup(t->scope->link, name); } static int dns_transaction_has_unsigned_negative_answer(DnsTransaction *t) { diff --git a/src/resolve/resolved-link.c b/src/resolve/resolved-link.c index cb5be90c758..4fa4451ab75 100644 --- a/src/resolve/resolved-link.c +++ b/src/resolve/resolved-link.c @@ -1407,3 +1407,26 @@ void link_remove_user(Link *l) { (void) unlink(l->state_file); } + +bool link_negative_trust_anchor_lookup(Link *l, const char *name) { + int r; + + assert(l); + assert(name); + + /* Checks whether the specified domain (or any of its parent domains) are listed as per-link NTA. */ + + for (;;) { + if (set_contains(l->dnssec_negative_trust_anchors, name)) + return true; + + /* And now, let's look at the parent, and check that too */ + r = dns_name_parent(&name); + if (r < 0) + return r; + if (r == 0) + break; + } + + return false; +} diff --git a/src/resolve/resolved-link.h b/src/resolve/resolved-link.h index 3f08e983512..26b0d13127d 100644 --- a/src/resolve/resolved-link.h +++ b/src/resolve/resolved-link.h @@ -108,4 +108,6 @@ int link_address_update_rtnl(LinkAddress *a, sd_netlink_message *m); bool link_address_relevant(LinkAddress *l, bool local_multicast); void link_address_add_rrs(LinkAddress *a, bool force_remove); +bool link_negative_trust_anchor_lookup(Link *l, const char *name); + DEFINE_TRIVIAL_CLEANUP_FUNC(Link*, link_free);