From: Lennart Poettering Date: Tue, 3 Nov 2020 19:34:21 +0000 (+0100) Subject: resolved: handle RRs where we don't have a signer X-Git-Tag: v247-rc2~29^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F17521%2Fhead;p=thirdparty%2Fsystemd.git resolved: handle RRs where we don't have a signer If we encounter an RR that has no matching signature, then we don't know whether it was expanded from a wildcard or not. We need to accept that and not make the NSEC test fail, just skip over the RR. --- diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c index 5a4f5c58b6b..5a01d49dee3 100644 --- a/src/resolve/resolved-dns-dnssec.c +++ b/src/resolve/resolved-dns-dnssec.c @@ -1813,6 +1813,8 @@ int dnssec_nsec_test(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *r /* The following checks only make sense for NSEC RRs that are not expanded from a wildcard */ r = dns_resource_record_is_synthetic(rr); + if (r == -ENODATA) /* No signing RR known. */ + continue; if (r < 0) return r; if (r > 0)