1 files changed, 0 insertions, 48 deletions
diff --git a/sys-apps/systemd/files/255-dnssec-2.patch b/sys-apps/systemd/files/255-dnssec-2.patch
deleted file mode 100644
index e8eaf9782b3e..000000000000
--- a/sys-apps/systemd/files/255-dnssec-2.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-https://github.com/systemd/systemd/pull/32598
-https://github.com/systemd/systemd-stable/commit/ee15f5efaf2f6cdbb867fca601e92761276e2b1e
-
-From ee15f5efaf2f6cdbb867fca601e92761276e2b1e Mon Sep 17 00:00:00 2001
-From: Ronan Pigott <ronan@rjp.ie>
-Date: Tue, 30 Apr 2024 22:15:18 -0700
-Subject: [PATCH] resolved: probe for dnssec support in allow-downgrade mode
-
-Previously, sd-resolved unnecessarily requested SOA records for each dns
-label in the query, even though they are not needed for the chain of
-trust. Since 47690634f157, only the necessary records are queried when
-validating.
-
-This is actually a problem in allow-downgrade mode, since we will no
-longer attempt a query for a record that we know is signed a priori, and
-will therefore never update our belief about the state of dnssec support
-in the recursive resolver.
-
-Rectify this by reintroducing a query for the root zone SOA in the
-allow-downgrade case, specifically to test that the resolver attaches
-the RRSIGs which we know must exist.
-
-Fixes: 47690634f157 ("resolved: don't request the SOA for every dns label")
-(cherry picked from commit 5237ffdf2b63a5afea77c3470d9981a2c29643cc)
---- a/src/resolve/resolved-dns-transaction.c
-+++ b/src/resolve/resolved-dns-transaction.c
-@@ -2622,6 +2622,21 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) {
-                         if (r < 0)
-                                 return r;
- 
-+                        if (t->scope->dnssec_mode == DNSSEC_ALLOW_DOWNGRADE && dns_name_is_root(name)) {
-+                                _cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL;
-+                                /* We made it all the way to the root zone. If we are in allow-downgrade
-+                                 * mode, we need to make at least one request that we can be certain should
-+                                 * have been signed, to test for servers that are not dnssec aware. */
-+                                soa = dns_resource_key_new(rr->key->class, DNS_TYPE_SOA, name);
-+                                if (!soa)
-+                                        return -ENOMEM;
-+
-+                                log_debug("Requesting root zone SOA to probe dnssec support.");
-+                                r = dns_transaction_request_dnssec_rr(t, soa);
-+                                if (r < 0)
-+                                        return r;
-+                        }
-+
-                         break;
-                 }
-