diff options
Diffstat (limited to 'sys-apps/systemd/files')
| -rw-r--r-- | sys-apps/systemd/files/255-dnssec-2.patch | 48 | ||||
| -rw-r--r-- | sys-apps/systemd/files/255-dnssec-3.patch | 32 | ||||
| -rw-r--r-- | sys-apps/systemd/files/255-dnssec.patch | 29 |
3 files changed, 0 insertions, 109 deletions
diff --git a/sys-apps/systemd/files/255-dnssec-2.patch b/sys-apps/systemd/files/255-dnssec-2.patch deleted file mode 100644 index e8eaf9782b3e..000000000000 --- a/sys-apps/systemd/files/255-dnssec-2.patch +++ /dev/null @@ -1,48 +0,0 @@ -https://github.com/systemd/systemd/pull/32598 -https://github.com/systemd/systemd-stable/commit/ee15f5efaf2f6cdbb867fca601e92761276e2b1e - -From ee15f5efaf2f6cdbb867fca601e92761276e2b1e Mon Sep 17 00:00:00 2001 -From: Ronan Pigott <ronan@rjp.ie> -Date: Tue, 30 Apr 2024 22:15:18 -0700 -Subject: [PATCH] resolved: probe for dnssec support in allow-downgrade mode - -Previously, sd-resolved unnecessarily requested SOA records for each dns -label in the query, even though they are not needed for the chain of -trust. Since 47690634f157, only the necessary records are queried when -validating. - -This is actually a problem in allow-downgrade mode, since we will no -longer attempt a query for a record that we know is signed a priori, and -will therefore never update our belief about the state of dnssec support -in the recursive resolver. - -Rectify this by reintroducing a query for the root zone SOA in the -allow-downgrade case, specifically to test that the resolver attaches -the RRSIGs which we know must exist. - -Fixes: 47690634f157 ("resolved: don't request the SOA for every dns label") -(cherry picked from commit 5237ffdf2b63a5afea77c3470d9981a2c29643cc) ---- a/src/resolve/resolved-dns-transaction.c -+++ b/src/resolve/resolved-dns-transaction.c -@@ -2622,6 +2622,21 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) { - if (r < 0) - return r; - -+ if (t->scope->dnssec_mode == DNSSEC_ALLOW_DOWNGRADE && dns_name_is_root(name)) { -+ _cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL; -+ /* We made it all the way to the root zone. If we are in allow-downgrade -+ * mode, we need to make at least one request that we can be certain should -+ * have been signed, to test for servers that are not dnssec aware. */ -+ soa = dns_resource_key_new(rr->key->class, DNS_TYPE_SOA, name); -+ if (!soa) -+ return -ENOMEM; -+ -+ log_debug("Requesting root zone SOA to probe dnssec support."); -+ r = dns_transaction_request_dnssec_rr(t, soa); -+ if (r < 0) -+ return r; -+ } -+ - break; - } - diff --git a/sys-apps/systemd/files/255-dnssec-3.patch b/sys-apps/systemd/files/255-dnssec-3.patch deleted file mode 100644 index 4fd231d6d157..000000000000 --- a/sys-apps/systemd/files/255-dnssec-3.patch +++ /dev/null @@ -1,32 +0,0 @@ -https://github.com/systemd/systemd/pull/32593 -https://github.com/systemd/systemd-stable/commit/a1580223a5dd67ab61c5f888b114de43b65fffbf - -From a1580223a5dd67ab61c5f888b114de43b65fffbf Mon Sep 17 00:00:00 2001 -From: Ronan Pigott <ronan@rjp.ie> -Date: Tue, 30 Apr 2024 13:19:14 -0700 -Subject: [PATCH] resolved: validate authentic insecure delegation to CNAME - -If the parent zone uses a non-opt-out method that provides authenticated -negative DS replies, we still can't expect signatures from the child -zone. sd-resolved was using the authenticated status of the DS reply to -require signatures for CNAMEs, even though it had already proved that no -signature exists. - -Fixes: 47690634f157 ("resolved: don't request the SOA for every dns label") -(cherry picked from commit 414a9b8e5e1e772261b0ffaedc853f5c0aba5719) ---- a/src/resolve/resolved-dns-transaction.c -+++ b/src/resolve/resolved-dns-transaction.c -@@ -2863,7 +2863,12 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord * - if (r == 0) - continue; - -- return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED); -+ if (!FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED)) -+ return false; -+ -+ /* We expect this to be signed when the DS record exists, and don't expect it to be -+ * signed when the DS record is proven not to exist. */ -+ return dns_answer_match_key(dt->answer, dns_transaction_key(dt), NULL); - } - - return true; diff --git a/sys-apps/systemd/files/255-dnssec.patch b/sys-apps/systemd/files/255-dnssec.patch deleted file mode 100644 index 978c26ff15f4..000000000000 --- a/sys-apps/systemd/files/255-dnssec.patch +++ /dev/null @@ -1,29 +0,0 @@ -https://github.com/systemd/systemd/issues/32531 -https://github.com/systemd/systemd/commit/d840783db5208219c78d73b9b46ef5daae9fea0a -https://github.com/systemd/systemd-stable/commit/52c17febf14c866d9808d1804f13ac98d76e665b - -From 52c17febf14c866d9808d1804f13ac98d76e665b Mon Sep 17 00:00:00 2001 -From: Ronan Pigott <ronan@rjp.ie> -Date: Mon, 29 Apr 2024 02:17:23 -0700 -Subject: [PATCH] resolved: always progress DS queries - -If we request a DS and the resolver offers an unsigned SOA, a new -auxiliary transaction for the DS will be rejected as a loop, and we -might not make any progress toward finding the DS we need. Let's ensure -that we at least always check the parent in this case. - -Fixes: 47690634f157 ("resolved: don't request the SOA for every dns label") -(cherry picked from commit d840783db5208219c78d73b9b46ef5daae9fea0a) ---- a/src/resolve/resolved-dns-transaction.c -+++ b/src/resolve/resolved-dns-transaction.c -@@ -2545,6 +2545,10 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) { - return r; - if (r == 0) - continue; -+ -+ /* If we were looking for the DS RR, don't request it again. */ -+ if (dns_transaction_key(t)->type == DNS_TYPE_DS) -+ continue; - } - - r = dnssec_has_rrsig(t->answer, rr->key); |