New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
resolved: probe for dnssec support in allow-downgrade mode #32598
Conversation
Important An -rc1 tag has been created and a release is being prepared, so please note that PRs introducing new features and APIs will be held back until the new version has been released. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Several superficial comments.
Previously, sd-resolved unnecessarily requested SOA records for each dns label in the query, even though they are not needed for the chain of trust. Since 4769063, only the necessary records are queried when validating. This is actually a problem in allow-downgrade mode, since we will no longer attempt a query for a record that we know is signed a priori, and will therefore never update our belief about the state of dnssec support in the recursive resolver. Rectify this by reintroducing a query for the root zone SOA in the allow-downgrade case, specifically to test that the resolver attaches the RRSIGs which we know must exist. Fixes: 4769063 ("resolved: don't request the SOA for every dns label")
f8fcf3d
to
ed4e1cb
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Superficially LGTM. But I am not familiar with the change.
Previously, sd-resolved unnecessarily requested SOA records for each dns label in the query, even though they are not needed for the chain of trust. Since 4769063, only the necessary records are queried when validating.
This is actually a problem in allow-downgrade mode, since we will no longer attempt a query for a record that we know is signed a priori, and will therefore never update our belief about the state of dnssec support in the recursive resolver.
Rectify this by reintroducing a query for the the root zone SOA in the allow-downgrade case, specifically to test that the resolver attaches the RRSIGs which we know must exist.
Fixes: 4769063 ("resolved: don't request the SOA for every dns label")
Fixes: #32570