resolved: probe for dnssec support in allow-downgrade mode

Previously, sd-resolved unnecessarily requested SOA records for each dns label in the query, even though they are not needed for the chain of trust. Since 4769063, only the necessary records are queried when validating. This is actually a problem in allow-downgrade mode, since we will no longer attempt a query for a record that we know is signed a priori, and will therefore never update our belief about the state of dnssec support in the recursive resolver. Rectify this by reintroducing a query for the the root zone SOA in the allow-downgrade case, specifically to test that the resolver attaches the RRSIGs which we know must exist. Fixes: 4769063 ("resolved: don't request the SOA for every dns label")
systemd · May 1, 2024 · f8fcf3d · f8fcf3d
1 parent ba2caa8
commit f8fcf3d
Showing 1 changed file with 16 additions and 1 deletion.
diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
@@ -2647,7 +2647,7 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) {
                 case DNS_TYPE_DS:
                 case DNS_TYPE_CNAME:
                 case DNS_TYPE_DNAME: {
-                        _cleanup_(dns_resource_key_unrefp) DnsResourceKey *ds = NULL;
+                        _cleanup_(dns_resource_key_unrefp) DnsResourceKey *ds = NULL, *soa = NULL;
                         const char *name;
 
                         /* CNAMEs and DNAMEs cannot be located at a
@@ -2695,6 +2695,21 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) {
                         if (r < 0)
                                 return r;
 
+                        if (t->scope->dnssec_mode == DNSSEC_ALLOW_DOWNGRADE && dns_name_is_root(name)) {
+                                /* We made it all the way to the root zone. If we are in allow-downgrade
+                                 * mode, we need to make at least one request that we can be certain should
+                                 * have been signed, to test for servers that are not dnssec aware. */
+                                soa = dns_resource_key_new(rr->key->class, DNS_TYPE_SOA, name);
+                                if (!soa)
+                                        return -ENOMEM;
+
+                                log_debug("Requesting root zone SOA to probe dnssec support");
+                                r = dns_transaction_request_dnssec_rr(t, soa);
+                                if (r < 0)
+                                        return r;
+
+                        }
+
                         break;
                 }