From 4c2b70adc6484c35ff05e412de08a7b7f50cfb34 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Tue, 30 Apr 2024 00:00:01 +0100 Subject: gentoo auto-resync : 30:04:2024 - 00:00:01 --- sys-apps/systemd/files/255-dnssec.patch | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 sys-apps/systemd/files/255-dnssec.patch (limited to 'sys-apps/systemd/files') diff --git a/sys-apps/systemd/files/255-dnssec.patch b/sys-apps/systemd/files/255-dnssec.patch new file mode 100644 index 000000000000..5c720c58ce4a --- /dev/null +++ b/sys-apps/systemd/files/255-dnssec.patch @@ -0,0 +1,27 @@ +https://github.com/systemd/systemd/commit/d840783db5208219c78d73b9b46ef5daae9fea0a + +From d840783db5208219c78d73b9b46ef5daae9fea0a Mon Sep 17 00:00:00 2001 +From: Ronan Pigott +Date: Mon, 29 Apr 2024 02:17:23 -0700 +Subject: [PATCH] resolved: always progress DS queries + +If we request a DS and the resolver offers an unsigned SOA, a new +auxiliary transaction for the DS will be rejected as a loop, and we +might not make any progress toward finding the DS we need. Let's ensure +that we at least always check the parent in this case. + +Fixes: 47690634f157 ("resolved: don't request the SOA for every dns label") +--- a/src/resolve/resolved-dns-transaction.c ++++ b/src/resolve/resolved-dns-transaction.c +@@ -2618,6 +2618,10 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) { + return r; + if (r == 0) + continue; ++ ++ /* If we were looking for the DS RR, don't request it again. */ ++ if (dns_transaction_key(t)->type == DNS_TYPE_DS) ++ continue; + } + + r = dnssec_has_rrsig(t->answer, rr->key); + -- cgit v1.2.3