Adding upstream version 255.5.upstream/255.5

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
author: Daniel Baumann <daniel.baumann@progress-linux.org> 2024-04-25 02:54:52 +0000
committer: Daniel Baumann <daniel.baumann@progress-linux.org> 2024-04-25 02:54:52 +0000
commit: 51fac37bb20c9440a9a4e0a20846c139364d6d13 (patch)
tree: 77c11a0dffc2c15542689f3a51d12d5076c477e8 /src/resolve/resolved-dns-trust-anchor.c
parent: Adding upstream version 255.4. (diff)
download: systemd-51fac37bb20c9440a9a4e0a20846c139364d6d13.tar.xz
systemd-51fac37bb20c9440a9a4e0a20846c139364d6d13.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/src/resolve/resolved-dns-trust-anchor.c b/src/resolve/resolved-dns-trust-anchor.c
index 1703c43..8aea5e1 100644
--- a/src/resolve/resolved-dns-trust-anchor.c
+++ b/src/resolve/resolved-dns-trust-anchor.c
@@ -165,6 +165,11 @@ static int dns_trust_anchor_add_builtin_negative(DnsTrustAnchor *d) {
                 /* Defined by RFC 8375. The most official choice. */
                 "home.arpa\0"
 
+                /* RFC 9462 doesn't mention DNSSEC, but this domain
+                 * can't really be signed and clients need to validate
+                 * the answer before using it anyway. */
+                "resolver.arpa\0"
+
                 /* RFC 8880 says because the 'ipv4only.arpa' zone has to
                  * be an insecure delegation, DNSSEC cannot be used to
                  * protect these answers from tampering by malicious
author	Daniel Baumann <daniel.baumann@progress-linux.org>	2024-04-25 02:54:52 +0000
committer	Daniel Baumann <daniel.baumann@progress-linux.org>	2024-04-25 02:54:52 +0000
commit	51fac37bb20c9440a9a4e0a20846c139364d6d13 (patch)
tree	77c11a0dffc2c15542689f3a51d12d5076c477e8 /src/resolve/resolved-dns-trust-anchor.c
parent	Adding upstream version 255.4. (diff)
download	systemd-51fac37bb20c9440a9a4e0a20846c139364d6d13.tar.xz systemd-51fac37bb20c9440a9a4e0a20846c139364d6d13.zip