diff options
author | Lennart Poettering <lennart@poettering.net> | 2020-11-03 20:34:21 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2020-11-03 20:36:02 +0100 |
commit | 2f4c2db20ae02d750a6995e0afbff7231cd3a6b7 (patch) | |
tree | b3840ad548a8f3ffd32c03ebe16f65ce1608dc74 /src/resolve/resolved-dns-dnssec.c | |
parent | de4a0138e7a1836649928989dbacb59c5c2614f7 (diff) | |
download | systemd-2f4c2db20ae02d750a6995e0afbff7231cd3a6b7.tar.gz |
resolved: handle RRs where we don't have a signer
If we encounter an RR that has no matching signature, then we don't know
whether it was expanded from a wildcard or not. We need to accept that
and not make the NSEC test fail, just skip over the RR.
Diffstat (limited to 'src/resolve/resolved-dns-dnssec.c')
-rw-r--r-- | src/resolve/resolved-dns-dnssec.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c index 5a4f5c58b6..5a01d49dee 100644 --- a/src/resolve/resolved-dns-dnssec.c +++ b/src/resolve/resolved-dns-dnssec.c @@ -1813,6 +1813,8 @@ int dnssec_nsec_test(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *r /* The following checks only make sense for NSEC RRs that are not expanded from a wildcard */ r = dns_resource_record_is_synthetic(rr); + if (r == -ENODATA) /* No signing RR known. */ + continue; if (r < 0) return r; if (r > 0) |