resolved: properly check per-link NTA list

author Lennart Poettering <lennart@poettering.net>

Tue, 17 Nov 2020 17:31:53 +0000 (18:31 +0100)

committer Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>

Tue, 8 Dec 2020 17:08:31 +0000 (18:08 +0100)
author Lennart Poettering <lennart@poettering.net>
Tue, 17 Nov 2020 17:31:53 +0000 (18:31 +0100)
committer Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Tue, 8 Dec 2020 17:08:31 +0000 (18:08 +0100)
diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c

index 016ff0136b6463234219bdfea281a08a3ffaf63b..6e84d80698e13c50bee1241821008ade45e97c10 100644 (file)
--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
@@ -1898,7 +1898,7 @@ static int dns_transaction_negative_trust_anchor_lookup(DnsTransaction *t, const
          if (!t->scope->link)
                  return 0;
  
-        return set_contains(t->scope->link->dnssec_negative_trust_anchors, name);
+        return link_negative_trust_anchor_lookup(t->scope->link, name);
  }
  
  static int dns_transaction_has_unsigned_negative_answer(DnsTransaction *t) {
diff --git a/src/resolve/resolved-link.c b/src/resolve/resolved-link.c

index f52c556bd13b72c011bc83b8d5fc75b278703eda..b4b6f3bd11a6f972a0fe77d1eee3b76e4fecc2ab 100644 (file)
--- a/src/resolve/resolved-link.c
+++ b/src/resolve/resolved-link.c
@@ -1406,3 +1406,26 @@ void link_remove_user(Link *l) {
  
          (void) unlink(l->state_file);
  }
+
+bool link_negative_trust_anchor_lookup(Link *l, const char *name) {
+        int r;
+
+        assert(l);
+        assert(name);
+
+        /* Checks whether the specified domain (or any of its parent domains) are listed as per-link NTA. */
+
+        for (;;) {
+                if (set_contains(l->dnssec_negative_trust_anchors, name))
+                        return true;
+
+                /* And now, let's look at the parent, and check that too */
+                r = dns_name_parent(&name);
+                if (r < 0)
+                        return r;
+                if (r == 0)
+                        break;
+        }
+
+        return false;
+}
diff --git a/src/resolve/resolved-link.h b/src/resolve/resolved-link.h

index 44d489ce4792435fbe61f2e862ca82ffeb21b041..4fcfb099108a6f522ef0bbd87b3251b78e1c43e7 100644 (file)
--- a/src/resolve/resolved-link.h
+++ b/src/resolve/resolved-link.h
@@ -108,4 +108,6 @@ int link_address_update_rtnl(LinkAddress *a, sd_netlink_message *m);
  bool link_address_relevant(LinkAddress *l, bool local_multicast);
  void link_address_add_rrs(LinkAddress *a, bool force_remove);
  
+bool link_negative_trust_anchor_lookup(Link *l, const char *name);
+
  DEFINE_TRIVIAL_CLEANUP_FUNC(Link*, link_free);
author	Lennart Poettering <lennart@poettering.net>
	Tue, 17 Nov 2020 17:31:53 +0000 (18:31 +0100)
committer	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
	Tue, 8 Dec 2020 17:08:31 +0000 (18:08 +0100)
src/resolve/resolved-dns-transaction.c		patch \| blob \| blame \| history
src/resolve/resolved-link.c		patch \| blob \| blame \| history
src/resolve/resolved-link.h		patch \| blob \| blame \| history