From afdb38a39f49292219e6721f39dec048977eafa7 Mon Sep 17 00:00:00 2001
From: Ronan Pigott <ronan@rjp.ie>
Date: Sun, 20 Oct 2024 23:16:49 -0700
Subject: [PATCH] resolved: validate noerror response for CNAMEs

CNAME doesn't exist at the zone apex. When we get an unsigned noerror
response to a direct query for a CNAME record, we don't yet know if this
name is zone apex. We already request the correct DS record in this
case, but previously skipped it at validation time, causing the answer
to appear bogus. Make sure to also consider the DS record for the query
name for negative replies.
---
 src/resolve/resolved-dns-transaction.c | 10 ----------
 test/units/TEST-75-RESOLVED.sh         |  2 ++
 2 files changed, 2 insertions(+), 10 deletions(-)

diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
index f78bf0702b..a162a91a03 100644
--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
@@ -3071,16 +3071,6 @@ static int dns_transaction_requires_nsec(DnsTransaction *t) {
 
         name = dns_resource_key_name(dns_transaction_key(t));
 
-        if (IN_SET(dns_transaction_key(t)->type, DNS_TYPE_DS, DNS_TYPE_CNAME, DNS_TYPE_DNAME)) {
-                /* We got a negative reply for this DS/CNAME/DNAME lookup? Check the parent in this case to
-                 * see if this answer should have been signed. */
-                r = dns_name_parent(&name);
-                if (r < 0)
-                        return r;
-                if (r == 0)
-                        return true;
-        }
-
         /* For all other RRs we check the DS on the same level to see
          * if it's signed. */
 
diff --git a/test/units/TEST-75-RESOLVED.sh b/test/units/TEST-75-RESOLVED.sh
index 4a7b759717..576c04f87a 100755
--- a/test/units/TEST-75-RESOLVED.sh
+++ b/test/units/TEST-75-RESOLVED.sh
@@ -496,6 +496,8 @@ testcase_08_resolved() {
     grep -qF "15 mail.unsigned.test." "$RUN_OUT"
     run resolvectl query --legend=no -t MX unsigned.test
     grep -qF "unsigned.test IN MX 15 mail.unsigned.test" "$RUN_OUT"
+    run dig @ns1.unsigned.test +noall +comments unsigned.test CNAME
+    grep -qF "status: NOERROR" "$RUN_OUT"
 
     : "--- ZONE: signed.test (static DNSSEC) ---"
     # Check the trust chain (with and without systemd-resolved in between
-- 
GitLab