From 51fac37bb20c9440a9a4e0a20846c139364d6d13 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Thu, 25 Apr 2024 04:54:52 +0200
Subject: Adding upstream version 255.5.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 src/resolve/resolved-dns-trust-anchor.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'src/resolve/resolved-dns-trust-anchor.c')

diff --git a/src/resolve/resolved-dns-trust-anchor.c b/src/resolve/resolved-dns-trust-anchor.c
index 1703c43..8aea5e1 100644
--- a/src/resolve/resolved-dns-trust-anchor.c
+++ b/src/resolve/resolved-dns-trust-anchor.c
@@ -165,6 +165,11 @@ static int dns_trust_anchor_add_builtin_negative(DnsTrustAnchor *d) {
                 /* Defined by RFC 8375. The most official choice. */
                 "home.arpa\0"
 
+                /* RFC 9462 doesn't mention DNSSEC, but this domain
+                 * can't really be signed and clients need to validate
+                 * the answer before using it anyway. */
+                "resolver.arpa\0"
+
                 /* RFC 8880 says because the 'ipv4only.arpa' zone has to
                  * be an insecure delegation, DNSSEC cannot be used to
                  * protect these answers from tampering by malicious
-- 
cgit v1.2.3