morgan/systemd
1
0
Fork 0
mirror of https://github.com/morgan9e/systemd synced 2026-04-15 00:47:10 +09:00
Code Issues Packages Projects Releases Wiki Activity

resolve: query the parent zone for DS records

Browse Source 
RFC 4035 Section 4.2 requires that missing DS records are queried for in
the parent zone rather than the child zone, the old behaviour could
cause subdomains under home.arpa (RFC 8375) to fail validation.

This commit assumes that QDCOUNT = 1 as per RFC 9619

Fixes https://github.com/systemd/systemd/issues/19496
This commit is contained in:
MaxHearnden
2025-04-15 01:16:48 +01:00
committed by Yu Watanabe
parent 76cb6f535e
commit 49ff90c70d
3 changed files with 17 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/resolve/resolved-dns-question.c
View File

@@ -548,3 +548,12 @@ int dns_question_merge(DnsQuestion *a, DnsQuestion *b, DnsQuestion **ret) {
*ret = TAKE_PTR(k);
return 0;
}
bool dns_question_contains_key_type(DnsQuestion *q, uint16_t type) {
DnsResourceKey *t;
DNS_QUESTION_FOREACH(t, q)
if (t->type == type)
return true;
return false;
}

2
src/resolve/resolved-dns-question.h
View File

@@ -61,6 +61,8 @@ static inline bool dns_question_isempty(DnsQuestion *q) {
int dns_question_merge(DnsQuestion *a, DnsQuestion *b, DnsQuestion **ret);
bool dns_question_contains_key_type(DnsQuestion *q, uint16_t type);
DEFINE_TRIVIAL_CLEANUP_FUNC(DnsQuestion*, dns_question_unref);
#define _DNS_QUESTION_FOREACH(u, k, q) \

7
src/resolve/resolved-dns-scope.c
View File

@@ -713,6 +713,11 @@ DnsScopeMatch dns_scope_good_domain(
if (!dns_scope_get_dns_server(s))
return DNS_SCOPE_NO;
/* Route DS requests to the parent */
const char *route_domain = domain;
if (dns_question_contains_key_type(question, DNS_TYPE_DS))
(void) dns_name_parent(&route_domain);
/* Always honour search domains for routing queries, except if this scope lacks DNS servers. Note that
* we return DNS_SCOPE_YES here, rather than just DNS_SCOPE_MAYBE, which means other wildcard scopes
* won't be considered anymore. */
@@ -721,7 +726,7 @@ DnsScopeMatch dns_scope_good_domain(
if (!d->route_only && !dns_name_is_root(d->name))
has_search_domains = true;
if (dns_name_endswith(domain, d->name) > 0) {
if (dns_name_endswith(route_domain, d->name) > 0) {
int c;
c = dns_name_count_labels(d->name);