https://github.com/systemd/systemd/pull/32593 https://github.com/systemd/systemd-stable/commit/a1580223a5dd67ab61c5f888b114de43b65fffbf From a1580223a5dd67ab61c5f888b114de43b65fffbf Mon Sep 17 00:00:00 2001 From: Ronan Pigott Date: Tue, 30 Apr 2024 13:19:14 -0700 Subject: [PATCH] resolved: validate authentic insecure delegation to CNAME If the parent zone uses a non-opt-out method that provides authenticated negative DS replies, we still can't expect signatures from the child zone. sd-resolved was using the authenticated status of the DS reply to require signatures for CNAMEs, even though it had already proved that no signature exists. Fixes: 47690634f157 ("resolved: don't request the SOA for every dns label") (cherry picked from commit 414a9b8e5e1e772261b0ffaedc853f5c0aba5719) --- a/src/resolve/resolved-dns-transaction.c +++ b/src/resolve/resolved-dns-transaction.c @@ -2863,7 +2863,12 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord * if (r == 0) continue; - return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED); + if (!FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED)) + return false; + + /* We expect this to be signed when the DS record exists, and don't expect it to be + * signed when the DS record is proven not to exist. */ + return dns_answer_match_key(dt->answer, dns_transaction_key(dt), NULL); } return true;