diff options
Diffstat (limited to 'sys-apps/systemd/files/255-dnssec-2.patch')
-rw-r--r-- | sys-apps/systemd/files/255-dnssec-2.patch | 48 |
1 files changed, 0 insertions, 48 deletions
diff --git a/sys-apps/systemd/files/255-dnssec-2.patch b/sys-apps/systemd/files/255-dnssec-2.patch deleted file mode 100644 index e8eaf9782b3e..000000000000 --- a/sys-apps/systemd/files/255-dnssec-2.patch +++ /dev/null @@ -1,48 +0,0 @@ -https://github.com/systemd/systemd/pull/32598 -https://github.com/systemd/systemd-stable/commit/ee15f5efaf2f6cdbb867fca601e92761276e2b1e - -From ee15f5efaf2f6cdbb867fca601e92761276e2b1e Mon Sep 17 00:00:00 2001 -From: Ronan Pigott <ronan@rjp.ie> -Date: Tue, 30 Apr 2024 22:15:18 -0700 -Subject: [PATCH] resolved: probe for dnssec support in allow-downgrade mode - -Previously, sd-resolved unnecessarily requested SOA records for each dns -label in the query, even though they are not needed for the chain of -trust. Since 47690634f157, only the necessary records are queried when -validating. - -This is actually a problem in allow-downgrade mode, since we will no -longer attempt a query for a record that we know is signed a priori, and -will therefore never update our belief about the state of dnssec support -in the recursive resolver. - -Rectify this by reintroducing a query for the root zone SOA in the -allow-downgrade case, specifically to test that the resolver attaches -the RRSIGs which we know must exist. - -Fixes: 47690634f157 ("resolved: don't request the SOA for every dns label") -(cherry picked from commit 5237ffdf2b63a5afea77c3470d9981a2c29643cc) ---- a/src/resolve/resolved-dns-transaction.c -+++ b/src/resolve/resolved-dns-transaction.c -@@ -2622,6 +2622,21 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) { - if (r < 0) - return r; - -+ if (t->scope->dnssec_mode == DNSSEC_ALLOW_DOWNGRADE && dns_name_is_root(name)) { -+ _cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL; -+ /* We made it all the way to the root zone. If we are in allow-downgrade -+ * mode, we need to make at least one request that we can be certain should -+ * have been signed, to test for servers that are not dnssec aware. */ -+ soa = dns_resource_key_new(rr->key->class, DNS_TYPE_SOA, name); -+ if (!soa) -+ return -ENOMEM; -+ -+ log_debug("Requesting root zone SOA to probe dnssec support."); -+ r = dns_transaction_request_dnssec_rr(t, soa); -+ if (r < 0) -+ return r; -+ } -+ - break; - } - |