resolved: never authenticate RRsets with revoked keys

author Lennart Poettering <lennart@poettering.net>

Sun, 3 Jan 2016 16:56:50 +0000 (17:56 +0100)

committer Lennart Poettering <lennart@poettering.net>

Sun, 3 Jan 2016 16:56:50 +0000 (17:56 +0100)
author Lennart Poettering <lennart@poettering.net>
Sun, 3 Jan 2016 16:56:50 +0000 (17:56 +0100)
committer Lennart Poettering <lennart@poettering.net>
Sun, 3 Jan 2016 16:56:50 +0000 (17:56 +0100)
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c

index 6e6e62b..606d681 100644 (file)
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@@ -671,6 +671,8 @@ int dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnske
                  return 0;
          if ((dnskey->dnskey.flags & DNSKEY_FLAG_ZONE_KEY) == 0)
                  return 0;
+        if ((dnskey->dnskey.flags & DNSKEY_FLAG_REVOKE))
+                return 0;
          if (dnskey->dnskey.protocol != 3)
                  return 0;
          if (dnskey->dnskey.algorithm != rrsig->rrsig.algorithm)
diff --git a/src/resolve/resolved-dns-rr.h b/src/resolve/resolved-dns-rr.h

index 90c3629..72bded7 100644 (file)
--- a/src/resolve/resolved-dns-rr.h
+++ b/src/resolve/resolved-dns-rr.h
@@ -34,8 +34,9 @@ typedef struct DnsResourceRecord DnsResourceRecord;
  typedef struct DnsTxtItem DnsTxtItem;
  
  /* DNSKEY RR flags */
-#define DNSKEY_FLAG_ZONE_KEY (UINT16_C(1) << 8)
  #define DNSKEY_FLAG_SEP      (UINT16_C(1) << 0)
+#define DNSKEY_FLAG_REVOKE   (UINT16_C(1) << 7)
+#define DNSKEY_FLAG_ZONE_KEY (UINT16_C(1) << 8)
  
  /* mDNS RR flags */
  #define MDNS_RR_CACHE_FLUSH  (UINT16_C(1) << 15)
author	Lennart Poettering <lennart@poettering.net>
	Sun, 3 Jan 2016 16:56:50 +0000 (17:56 +0100)
committer	Lennart Poettering <lennart@poettering.net>
	Sun, 3 Jan 2016 16:56:50 +0000 (17:56 +0100)
src/resolve/resolved-dns-dnssec.c		patch \| blob \| history
src/resolve/resolved-dns-rr.h		patch \| blob \| history