Merging upstream version 255.5.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
author: Daniel Baumann <daniel.baumann@progress-linux.org> 2024-04-25 02:54:54 +0000
committer: Daniel Baumann <daniel.baumann@progress-linux.org> 2024-04-25 02:54:54 +0000
commit: af2a7ac568af7b8ecf1002023dd9d07135c3c9c2 (patch)
tree: 581ab49f856374f88fabfc43ba54969edbe67316 /src/resolve/resolved-dns-trust-anchor.c
parent: Releasing progress-linux version 255.4-1~progress7.99u1. (diff)
download: systemd-af2a7ac568af7b8ecf1002023dd9d07135c3c9c2.tar.xz
systemd-af2a7ac568af7b8ecf1002023dd9d07135c3c9c2.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/src/resolve/resolved-dns-trust-anchor.c b/src/resolve/resolved-dns-trust-anchor.c
index 1703c43..8aea5e1 100644
--- a/src/resolve/resolved-dns-trust-anchor.c
+++ b/src/resolve/resolved-dns-trust-anchor.c
@@ -165,6 +165,11 @@ static int dns_trust_anchor_add_builtin_negative(DnsTrustAnchor *d) {
                 /* Defined by RFC 8375. The most official choice. */
                 "home.arpa\0"
 
+                /* RFC 9462 doesn't mention DNSSEC, but this domain
+                 * can't really be signed and clients need to validate
+                 * the answer before using it anyway. */
+                "resolver.arpa\0"
+
                 /* RFC 8880 says because the 'ipv4only.arpa' zone has to
                  * be an insecure delegation, DNSSEC cannot be used to
                  * protect these answers from tampering by malicious
author	Daniel Baumann <daniel.baumann@progress-linux.org>	2024-04-25 02:54:54 +0000
committer	Daniel Baumann <daniel.baumann@progress-linux.org>	2024-04-25 02:54:54 +0000
commit	af2a7ac568af7b8ecf1002023dd9d07135c3c9c2 (patch)
tree	581ab49f856374f88fabfc43ba54969edbe67316 /src/resolve/resolved-dns-trust-anchor.c
parent	Releasing progress-linux version 255.4-1~progress7.99u1. (diff)
download	systemd-af2a7ac568af7b8ecf1002023dd9d07135c3c9c2.tar.xz systemd-af2a7ac568af7b8ecf1002023dd9d07135c3c9c2.zip