summaryrefslogtreecommitdiffstats
path: root/src/resolve/resolved-dns-cache.c
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-25 02:54:52 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-25 02:54:52 +0000
commit51fac37bb20c9440a9a4e0a20846c139364d6d13 (patch)
tree77c11a0dffc2c15542689f3a51d12d5076c477e8 /src/resolve/resolved-dns-cache.c
parentAdding upstream version 255.4. (diff)
downloadsystemd-51fac37bb20c9440a9a4e0a20846c139364d6d13.tar.xz
systemd-51fac37bb20c9440a9a4e0a20846c139364d6d13.zip
Adding upstream version 255.5.upstream/255.5
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'src/resolve/resolved-dns-cache.c')
-rw-r--r--src/resolve/resolved-dns-cache.c16
1 files changed, 16 insertions, 0 deletions
diff --git a/src/resolve/resolved-dns-cache.c b/src/resolve/resolved-dns-cache.c
index a9a6492..e90915e 100644
--- a/src/resolve/resolved-dns-cache.c
+++ b/src/resolve/resolved-dns-cache.c
@@ -531,6 +531,20 @@ static int dns_cache_put_positive(
TAKE_PTR(i);
return 0;
}
+/* https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml */
+/* https://www.iana.org/assignments/locally-served-dns-zones/locally-served-dns-zones.xhtml#transport-independent */
+static bool dns_special_use_domain_invalid_answer(DnsResourceKey *key, int rcode) {
+ /* Sometimes we know a domain exists, even if broken nameservers say otherwise. Make sure not to
+ * cache any answers we know are wrong. */
+
+ /* RFC9462 ยง 6.4: resolvers SHOULD respond to queries of any type other than SVCB for
+ * _dns.resolver.arpa. with NODATA and queries of any type for any domain name under resolver.arpa
+ * with NODATA. */
+ if (dns_name_endswith(dns_resource_key_name(key), "resolver.arpa") > 0 && rcode == DNS_RCODE_NXDOMAIN)
+ return true;
+
+ return false;
+}
static int dns_cache_put_negative(
DnsCache *c,
@@ -561,6 +575,8 @@ static int dns_cache_put_negative(
return 0;
if (dns_type_is_pseudo(key->type))
return 0;
+ if (dns_special_use_domain_invalid_answer(key, rcode))
+ return 0;
if (IN_SET(rcode, DNS_RCODE_SUCCESS, DNS_RCODE_NXDOMAIN)) {
if (!soa)