From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 8 Dec 2017 19:11:36 +0000 (+0100)
Subject: resolved: try a different server if server is too dumb to do DNSSEC
X-Git-Tag: v236~23^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e82b1132579e45c80b95d4bc12b8c333fa909d53;p=thirdparty%2Fsystemd.git

resolved: try a different server if server is too dumb to do DNSSEC

If we are in strict DNSSEC mode it's worthy to try a different DNS
server before accepting that DNSSEC is not actually supported.

Fixes: #7040
---

diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
index 0388b5e0769..f4bbde02193 100644
--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
@@ -739,8 +739,17 @@ static void dns_transaction_process_dnssec(DnsTransaction *t) {
 
         if (t->answer_dnssec_result == DNSSEC_INCOMPATIBLE_SERVER &&
             t->scope->dnssec_mode == DNSSEC_YES) {
-                /*  We are not in automatic downgrade mode, and the
-                 *  server is bad, refuse operation. */
+
+                /*  We are not in automatic downgrade mode, and the server is bad. Let's try a different server, maybe
+                 *  that works. */
+
+                if (t->n_picked_servers < dns_scope_get_n_dns_servers(t->scope)) {
+                        /* We tried fewer servers on this transaction than we know, let's try another one then */
+                        dns_transaction_retry(t, true);
+                        return;
+                }
+
+                /* OK, let's give up, apparently all servers we tried didn't work. */
                 dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
                 return;
         }