Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/sys-apps/systemd/files/255-dnssec-2.patch
diff options
context:
space:
mode:
Diffstat (limited to 'sys-apps/systemd/files/255-dnssec-2.patch')
-rw-r--r--sys-apps/systemd/files/255-dnssec-2.patch48
1 files changed, 48 insertions, 0 deletions
diff --git a/sys-apps/systemd/files/255-dnssec-2.patch b/sys-apps/systemd/files/255-dnssec-2.patch
new file mode 100644
index 000000000000..e8eaf9782b3e
--- /dev/null
+++ b/sys-apps/systemd/files/255-dnssec-2.patch
@@ -0,0 +1,48 @@
+https://github.com/systemd/systemd/pull/32598
+https://github.com/systemd/systemd-stable/commit/ee15f5efaf2f6cdbb867fca601e92761276e2b1e
+
+From ee15f5efaf2f6cdbb867fca601e92761276e2b1e Mon Sep 17 00:00:00 2001
+From: Ronan Pigott <ronan@rjp.ie>
+Date: Tue, 30 Apr 2024 22:15:18 -0700
+Subject: [PATCH] resolved: probe for dnssec support in allow-downgrade mode
+
+Previously, sd-resolved unnecessarily requested SOA records for each dns
+label in the query, even though they are not needed for the chain of
+trust. Since 47690634f157, only the necessary records are queried when
+validating.
+
+This is actually a problem in allow-downgrade mode, since we will no
+longer attempt a query for a record that we know is signed a priori, and
+will therefore never update our belief about the state of dnssec support
+in the recursive resolver.
+
+Rectify this by reintroducing a query for the root zone SOA in the
+allow-downgrade case, specifically to test that the resolver attaches
+the RRSIGs which we know must exist.
+
+Fixes: 47690634f157 ("resolved: don't request the SOA for every dns label")
+(cherry picked from commit 5237ffdf2b63a5afea77c3470d9981a2c29643cc)
+--- a/src/resolve/resolved-dns-transaction.c
++++ b/src/resolve/resolved-dns-transaction.c
+@@ -2622,6 +2622,21 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) {
+ if (r < 0)
+ return r;
+
++ if (t->scope->dnssec_mode == DNSSEC_ALLOW_DOWNGRADE && dns_name_is_root(name)) {
++ _cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL;
++ /* We made it all the way to the root zone. If we are in allow-downgrade
++ * mode, we need to make at least one request that we can be certain should
++ * have been signed, to test for servers that are not dnssec aware. */
++ soa = dns_resource_key_new(rr->key->class, DNS_TYPE_SOA, name);
++ if (!soa)
++ return -ENOMEM;
++
++ log_debug("Requesting root zone SOA to probe dnssec support.");
++ r = dns_transaction_request_dnssec_rr(t, soa);
++ if (r < 0)
++ return r;
++ }
++
+ break;
+ }
+