From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 17 Dec 2018 20:14:17 +0000 (+0100)
Subject: resolved: only attempt non-answer SOA RRs if they are parents of our query
X-Git-Tag: v240~29^2~1
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d5acaa51db2a9963d525a7927e1f55482435bb79;p=thirdparty%2Fsystemd.git

resolved: only attempt non-answer SOA RRs if they are parents of our query

There's no value in authenticating SOA RRs that are neither answer to
our question nor parent of our question (the latter being relevant so
that we have a TTL from the SOA field for negative caching of the actual
query).

By being to eager here, and trying to authenticate too much we run the
risk of creating cyclic deps between our transactions which then causes
the over-all authentication to fail.

Fixes: #9771
---

diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
index cc748ac95ea..30f798df362 100644
--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
@@ -2142,6 +2142,14 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) {
                                 if (r > 0) /* positive reply, we won't need the SOA and hence don't need to validate
                                             * it. */
                                         continue;
+
+                                /* Only bother with this if the SOA/NS RR we are looking at is actually a parent of
+                                 * what we are looking for, otherwise there's no value in it for us. */
+                                r = dns_name_endswith(dns_resource_key_name(t->key), dns_resource_key_name(rr->key));
+                                if (r < 0)
+                                        return r;
+                                if (r == 0)
+                                        continue;
                         }
 
                         r = dnssec_has_rrsig(t->answer, rr->key);