diff options
Diffstat (limited to 'sys-apps/systemd/files/255-dnssec-3.patch')
-rw-r--r-- | sys-apps/systemd/files/255-dnssec-3.patch | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/sys-apps/systemd/files/255-dnssec-3.patch b/sys-apps/systemd/files/255-dnssec-3.patch new file mode 100644 index 000000000000..4fd231d6d157 --- /dev/null +++ b/sys-apps/systemd/files/255-dnssec-3.patch @@ -0,0 +1,32 @@ +https://github.com/systemd/systemd/pull/32593 +https://github.com/systemd/systemd-stable/commit/a1580223a5dd67ab61c5f888b114de43b65fffbf + +From a1580223a5dd67ab61c5f888b114de43b65fffbf Mon Sep 17 00:00:00 2001 +From: Ronan Pigott <ronan@rjp.ie> +Date: Tue, 30 Apr 2024 13:19:14 -0700 +Subject: [PATCH] resolved: validate authentic insecure delegation to CNAME + +If the parent zone uses a non-opt-out method that provides authenticated +negative DS replies, we still can't expect signatures from the child +zone. sd-resolved was using the authenticated status of the DS reply to +require signatures for CNAMEs, even though it had already proved that no +signature exists. + +Fixes: 47690634f157 ("resolved: don't request the SOA for every dns label") +(cherry picked from commit 414a9b8e5e1e772261b0ffaedc853f5c0aba5719) +--- a/src/resolve/resolved-dns-transaction.c ++++ b/src/resolve/resolved-dns-transaction.c +@@ -2863,7 +2863,12 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord * + if (r == 0) + continue; + +- return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED); ++ if (!FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED)) ++ return false; ++ ++ /* We expect this to be signed when the DS record exists, and don't expect it to be ++ * signed when the DS record is proven not to exist. */ ++ return dns_answer_match_key(dt->answer, dns_transaction_key(dt), NULL); + } + + return true; |