From: Lennart Poettering Date: Mon, 4 Jan 2016 21:35:54 +0000 (+0100) Subject: resolved: explicitly handle case when the trust anchor is empty X-Git-Tag: v229.1~1^2~72 X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=commitdiff_plain;h=cda31ba58ea9360348d0b3b341b3155d65502405 resolved: explicitly handle case when the trust anchor is empty Since we honour RFC5011 revoked keys it might happen we end up with an empty trust anchor, or one where there's no entry for the root left. With this patch the logic is changed what to do in this case. Before this patch we'd end up requesting the root DS, which returns with NODATA but a signed NSEC we cannot verify, since the trust anchor is empty after all. Thus we'd return a DNSSEC result of "missing-key", as we lack a verified version of the key. With this patch in place, look-ups for the root DS are explicitly recognized, and not passed on to the DNS servers. Instead, if downgrade-ok mode is on an unsigned NODATA response is synthesized, so that the validator code continues under the assumption the root zone was unsigned. If downgrade-ok mode is off a new transaction failure is generated, that makes this case recognizable. --- diff --git a/src/libelogind/sd-bus/bus-common-errors.h b/src/libelogind/sd-bus/bus-common-errors.h index 46f3877d0..9e4972584 100644 --- a/src/libelogind/sd-bus/bus-common-errors.h +++ b/src/libelogind/sd-bus/bus-common-errors.h @@ -75,6 +75,7 @@ #define BUS_ERROR_CONNECTION_FAILURE "org.freedesktop.resolve1.ConnectionFailure" #define BUS_ERROR_NO_SUCH_SERVICE "org.freedesktop.resolve1.NoSuchService" #define BUS_ERROR_DNSSEC_FAILED "org.freedesktop.resolve1.DnssecFailed" +#define BUS_ERROR_NO_TRUST_ANCHOR "org.freedesktop.resolve1.NoTrustAnchor" #define _BUS_ERROR_DNS "org.freedesktop.resolve1.DnsError." #define BUS_ERROR_NO_SUCH_TRANSFER "org.freedesktop.import1.NoSuchTransfer"