diff options
author | V3n3RiX <venerix@koprulu.sector> | 2024-05-06 00:00:52 +0100 |
---|---|---|
committer | V3n3RiX <venerix@koprulu.sector> | 2024-05-06 00:00:52 +0100 |
commit | 43c2a85d4e20318dd3d35872e348707900870067 (patch) | |
tree | f863318f1d5bf6641145c6eb96a25818842ba87f /sys-apps/systemd/files/255-dnssec-2.patch | |
parent | b594445f39d99066071d80fc8efeba5c8f72cc35 (diff) |
gentoo auto-resync : 06:05:2024 - 00:00:51
Diffstat (limited to 'sys-apps/systemd/files/255-dnssec-2.patch')
-rw-r--r-- | sys-apps/systemd/files/255-dnssec-2.patch | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/sys-apps/systemd/files/255-dnssec-2.patch b/sys-apps/systemd/files/255-dnssec-2.patch new file mode 100644 index 000000000000..e8eaf9782b3e --- /dev/null +++ b/sys-apps/systemd/files/255-dnssec-2.patch @@ -0,0 +1,48 @@ +https://github.com/systemd/systemd/pull/32598 +https://github.com/systemd/systemd-stable/commit/ee15f5efaf2f6cdbb867fca601e92761276e2b1e + +From ee15f5efaf2f6cdbb867fca601e92761276e2b1e Mon Sep 17 00:00:00 2001 +From: Ronan Pigott <ronan@rjp.ie> +Date: Tue, 30 Apr 2024 22:15:18 -0700 +Subject: [PATCH] resolved: probe for dnssec support in allow-downgrade mode + +Previously, sd-resolved unnecessarily requested SOA records for each dns +label in the query, even though they are not needed for the chain of +trust. Since 47690634f157, only the necessary records are queried when +validating. + +This is actually a problem in allow-downgrade mode, since we will no +longer attempt a query for a record that we know is signed a priori, and +will therefore never update our belief about the state of dnssec support +in the recursive resolver. + +Rectify this by reintroducing a query for the root zone SOA in the +allow-downgrade case, specifically to test that the resolver attaches +the RRSIGs which we know must exist. + +Fixes: 47690634f157 ("resolved: don't request the SOA for every dns label") +(cherry picked from commit 5237ffdf2b63a5afea77c3470d9981a2c29643cc) +--- a/src/resolve/resolved-dns-transaction.c ++++ b/src/resolve/resolved-dns-transaction.c +@@ -2622,6 +2622,21 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) { + if (r < 0) + return r; + ++ if (t->scope->dnssec_mode == DNSSEC_ALLOW_DOWNGRADE && dns_name_is_root(name)) { ++ _cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL; ++ /* We made it all the way to the root zone. If we are in allow-downgrade ++ * mode, we need to make at least one request that we can be certain should ++ * have been signed, to test for servers that are not dnssec aware. */ ++ soa = dns_resource_key_new(rr->key->class, DNS_TYPE_SOA, name); ++ if (!soa) ++ return -ENOMEM; ++ ++ log_debug("Requesting root zone SOA to probe dnssec support."); ++ r = dns_transaction_request_dnssec_rr(t, soa); ++ if (r < 0) ++ return r; ++ } ++ + break; + } + |