From: Ronan Pigott Date: Wed, 11 Mar 2026 17:52:49 +0000 (-0700) Subject: resolved: use the SOA to find chain of trust quicker X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=27eedfa0efd0bcf6fe31e64f4c193d4c2d1fed4e;p=thirdparty%2Fsystemd.git resolved: use the SOA to find chain of trust quicker sd-resolved does dnssec "backwards" compared to most resolvers. A typical strategy is to start from the DNS root and gather the requisite keys on the way down, but sd-resolved requests the final answer it wants and then goes searching for the requisite keys later. We don't know in advance under which names we should expect to find those keys, because we don't know the zone cuts a priori, but we can use what we have found in prior responses to make an educated guess. This was more or less the intent of 47690634f157, but it was partially regressed in d840783db520 while fixing a bug handling totally empty responses. Fixes #37472 Ref: 47690634f157 ("resolved: don't request the SOA for every dns label") Fixes: d840783db520 ("resolved: always progress DS queries") --- diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c index 1a786ccf270..a320825d0d5 100644 --- a/src/resolve/resolved-dns-transaction.c +++ b/src/resolve/resolved-dns-transaction.c @@ -2621,7 +2621,10 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) { continue; /* If we were looking for the DS RR, don't request it again. */ - if (dns_transaction_key(t)->type == DNS_TYPE_DS) + r = dns_name_equal(dns_resource_key_name(dns_transaction_key(t)), dns_resource_key_name(rr->key)); + if (r < 0) + return r; + if (r > 0 && dns_transaction_key(t)->type == DNS_TYPE_DS) continue; }