resolved: validate noerror response for CNAMEs

CNAME doesn't exist at the zone apex. When we get an unsigned noerror response to a direct query for a CNAME record, we don't yet know if this name is zone apex. We already request the correct DS record in this case, but previously skipped it at validation time, causing the answer to appear bogus. Make sure to also consider the DS record for the query name for negative replies.

resolved: validate noerror response for CNAMEs
afdb38a3 · Ronan Pigott · Lennart Poettering · a95aacc8 · afdb38a3 · afdb38a3
Commit afdb38a3 authored 6 months ago by Ronan Pigott Committed by Lennart Poettering 6 months ago
--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
@@ -3071,16 +3071,6 @@ static int dns_transaction_requires_nsec(DnsTransaction *t) {

        name = dns_resource_key_name(dns_transaction_key(t));

-        if (IN_SET(dns_transaction_key(t)->type, DNS_TYPE_DS, DNS_TYPE_CNAME, DNS_TYPE_DNAME)) {
-                /* We got a negative reply for this DS/CNAME/DNAME lookup? Check the parent in this case to
-                 * see if this answer should have been signed. */
-                r = dns_name_parent(&name);
-                if (r < 0)
-                        return r;
-                if (r == 0)
-                        return true;
-        }
-
        /* For all other RRs we check the DS on the same level to see
         * if it's signed. */


--- a/test/units/TEST-75-RESOLVED.sh
+++ b/test/units/TEST-75-RESOLVED.sh
@@ -496,6 +496,8 @@ testcase_08_resolved() {
    grep -qF "15 mail.unsigned.test." "$RUN_OUT"
    run resolvectl query --legend=no -t MX unsigned.test
    grep -qF "unsigned.test IN MX 15 mail.unsigned.test" "$RUN_OUT"
+    run dig @ns1.unsigned.test +noall +comments unsigned.test CNAME
+    grep -qF "status: NOERROR" "$RUN_OUT"

    : "--- ZONE: signed.test (static DNSSEC) ---"
    # Check the trust chain (with and without systemd-resolved in between