diff options
author | Lennart Poettering <lennart@poettering.net> | 2020-11-17 18:31:53 +0100 |
---|---|---|
committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2020-12-08 18:08:31 +0100 |
commit | 2e304fb3db655871833e800274890133de99ad7f (patch) | |
tree | 70dbc88cd7756a102d60f437ecbe63217dd6dfb4 | |
parent | dcff070d70abfc353da5fc0e47b4e8f62b15b093 (diff) | |
download | systemd-2e304fb3db655871833e800274890133de99ad7f.tar.gz |
resolved: properly check per-link NTA list
We need to check for parent domains too. We did this correctly for the
system-wide NTA list, but not for the per-link one. Let's fix that.
(cherry picked from commit 7e8a93b77c3c4d4df1e8c3177dc9553c94fac759)
-rw-r--r-- | src/resolve/resolved-dns-transaction.c | 2 | ||||
-rw-r--r-- | src/resolve/resolved-link.c | 23 | ||||
-rw-r--r-- | src/resolve/resolved-link.h | 2 |
3 files changed, 26 insertions, 1 deletions
diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c index 016ff0136b..6e84d80698 100644 --- a/src/resolve/resolved-dns-transaction.c +++ b/src/resolve/resolved-dns-transaction.c @@ -1898,7 +1898,7 @@ static int dns_transaction_negative_trust_anchor_lookup(DnsTransaction *t, const if (!t->scope->link) return 0; - return set_contains(t->scope->link->dnssec_negative_trust_anchors, name); + return link_negative_trust_anchor_lookup(t->scope->link, name); } static int dns_transaction_has_unsigned_negative_answer(DnsTransaction *t) { diff --git a/src/resolve/resolved-link.c b/src/resolve/resolved-link.c index f52c556bd1..b4b6f3bd11 100644 --- a/src/resolve/resolved-link.c +++ b/src/resolve/resolved-link.c @@ -1406,3 +1406,26 @@ void link_remove_user(Link *l) { (void) unlink(l->state_file); } + +bool link_negative_trust_anchor_lookup(Link *l, const char *name) { + int r; + + assert(l); + assert(name); + + /* Checks whether the specified domain (or any of its parent domains) are listed as per-link NTA. */ + + for (;;) { + if (set_contains(l->dnssec_negative_trust_anchors, name)) + return true; + + /* And now, let's look at the parent, and check that too */ + r = dns_name_parent(&name); + if (r < 0) + return r; + if (r == 0) + break; + } + + return false; +} diff --git a/src/resolve/resolved-link.h b/src/resolve/resolved-link.h index 44d489ce47..4fcfb09910 100644 --- a/src/resolve/resolved-link.h +++ b/src/resolve/resolved-link.h @@ -108,4 +108,6 @@ int link_address_update_rtnl(LinkAddress *a, sd_netlink_message *m); bool link_address_relevant(LinkAddress *l, bool local_multicast); void link_address_add_rrs(LinkAddress *a, bool force_remove); +bool link_negative_trust_anchor_lookup(Link *l, const char *name); + DEFINE_TRIVIAL_CLEANUP_FUNC(Link*, link_free); |