From: Jacek Migacz <jmigacz@redhat.com>
Date: Wed, 21 Sep 2022 06:23:22 +0000 (+0200)
Subject: resolve: unsupported DNSSEC algorithms are considered INSECURE; not BOGUS
X-Git-Tag: v252-rc1~51
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1ca3600120c6db775f0fe357f6fc6cb3a13f1cc6;p=thirdparty%2Fsystemd.git

resolve: unsupported DNSSEC algorithms are considered INSECURE; not BOGUS

Resolves: #19824
---

diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
index 4066991ecc8..0212569fb03 100644
--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
@@ -3332,10 +3332,19 @@ static int dnssec_validate_records(
                         }
                 }
 
+                /* https://datatracker.ietf.org/doc/html/rfc6840#section-5.2 */
+                if (result == DNSSEC_UNSUPPORTED_ALGORITHM) {
+                        r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0, NULL);
+                        if (r < 0)
+                                return r;
+
+                        manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
+                        return 1;
+                }
+
                 if (IN_SET(result,
                            DNSSEC_MISSING_KEY,
-                           DNSSEC_SIGNATURE_EXPIRED,
-                           DNSSEC_UNSUPPORTED_ALGORITHM)) {
+                           DNSSEC_SIGNATURE_EXPIRED)) {
 
                         r = dns_transaction_dnskey_authenticated(t, rr);
                         if (r < 0 && r != -ENXIO)