resolved: handle RRs where we don't have a signer

If we encounter an RR that has no matching signature, then we don't know whether it was expanded from a wildcard or not. We need to accept that and not make the NSEC test fail, just skip over the RR.
author: Lennart Poettering <lennart@poettering.net> 2020-11-03 20:34:21 +0100
committer: Lennart Poettering <lennart@poettering.net> 2020-11-03 20:36:02 +0100
commit: 2f4c2db20ae02d750a6995e0afbff7231cd3a6b7 (patch)
tree: b3840ad548a8f3ffd32c03ebe16f65ce1608dc74 /src/resolve/resolved-dns-dnssec.c
parent: de4a0138e7a1836649928989dbacb59c5c2614f7 (diff)
download: systemd-2f4c2db20ae02d750a6995e0afbff7231cd3a6b7.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
index 5a4f5c58b6..5a01d49dee 100644
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@@ -1813,6 +1813,8 @@ int dnssec_nsec_test(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *r
 
                 /* The following checks only make sense for NSEC RRs that are not expanded from a wildcard */
                 r = dns_resource_record_is_synthetic(rr);
+                if (r == -ENODATA) /* No signing RR known. */
+                        continue;
                 if (r < 0)
                         return r;
                 if (r > 0)
author	Lennart Poettering <lennart@poettering.net>	2020-11-03 20:34:21 +0100
committer	Lennart Poettering <lennart@poettering.net>	2020-11-03 20:36:02 +0100
commit	2f4c2db20ae02d750a6995e0afbff7231cd3a6b7 (patch)
tree	b3840ad548a8f3ffd32c03ebe16f65ce1608dc74 /src/resolve/resolved-dns-dnssec.c
parent	de4a0138e7a1836649928989dbacb59c5c2614f7 (diff)
download	systemd-2f4c2db20ae02d750a6995e0afbff7231cd3a6b7.tar.gz