1 files changed, 32 insertions, 0 deletions

diff --git a/sys-apps/systemd/files/255-dnssec-3.patch b/sys-apps/systemd/files/255-dnssec-3.patch
new file mode 100644
index 000000000000..4fd231d6d157
--- /dev/null
+++ b/sys-apps/systemd/files/255-dnssec-3.patch
@@ -0,0 +1,32 @@
+https://github.com/systemd/systemd/pull/32593
+https://github.com/systemd/systemd-stable/commit/a1580223a5dd67ab61c5f888b114de43b65fffbf
+
+From a1580223a5dd67ab61c5f888b114de43b65fffbf Mon Sep 17 00:00:00 2001
+From: Ronan Pigott <ronan@rjp.ie>
+Date: Tue, 30 Apr 2024 13:19:14 -0700
+Subject: [PATCH] resolved: validate authentic insecure delegation to CNAME
+
+If the parent zone uses a non-opt-out method that provides authenticated
+negative DS replies, we still can't expect signatures from the child
+zone. sd-resolved was using the authenticated status of the DS reply to
+require signatures for CNAMEs, even though it had already proved that no
+signature exists.
+
+Fixes: 47690634f157 ("resolved: don't request the SOA for every dns label")
+(cherry picked from commit 414a9b8e5e1e772261b0ffaedc853f5c0aba5719)
+--- a/src/resolve/resolved-dns-transaction.c
++++ b/src/resolve/resolved-dns-transaction.c
+@@ -2863,7 +2863,12 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *
+                         if (r == 0)
+                                 continue;
+ 
+-                        return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
++                        if (!FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
++                                return false;
++
++                        /* We expect this to be signed when the DS record exists, and don't expect it to be
++                         * signed when the DS record is proven not to exist. */
++                        return dns_answer_match_key(dt->answer, dns_transaction_key(dt), NULL);
+                 }
+ 
+                 return true;