74 lines
3.0 KiB
Diff
74 lines
3.0 KiB
Diff
|
From a997ca0da044719a0ce8a232d14da8b30022592b Mon Sep 17 00:00:00 2001
|
||
|
|
From: Simon Kelley <simon@thekelleys.org.uk>
|
||
|
|
Date: Fri, 29 Jun 2018 14:39:41 +0100
|
||
|
|
Subject: [PATCH] Fix sometimes missing DNSSEC RRs when DNSSEC validation not
|
||
|
|
enabled.
|
||
|
|
|
||
|
|
Dnsmasq does pass on the do-bit, and return DNSSEC RRs, irrespective
|
||
|
|
of of having DNSSEC validation compiled in or enabled.
|
||
|
|
|
||
|
|
The thing to understand here is that the cache does not store all the
|
||
|
|
DNSSEC RRs, and dnsmasq doesn't have the (very complex) logic required
|
||
|
|
to determine the set of DNSSEC RRs required in an answer. Therefore if
|
||
|
|
the client wants the DNSSEC RRs, the query can not be answered from
|
||
|
|
the cache. When DNSSEC validation is enabled, any query with the
|
||
|
|
do-bit set is never answered from the cache, unless the domain is
|
||
|
|
known not to be signed: the query is always forwarded. This ensures
|
||
|
|
that the DNSEC RRs are included.
|
||
|
|
|
||
|
|
The same thing should be true when DNSSEC validation is not enabled,
|
||
|
|
but there's a bug in the logic.
|
||
|
|
|
||
|
|
line 1666 of src/rfc1035.c looks like this
|
||
|
|
|
||
|
|
if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !do_bit || !(crecp->flags & F_DNSSECOK))
|
||
|
|
|
||
|
|
{ ...answer from cache ... }
|
||
|
|
|
||
|
|
So local stuff (hosts, DHCP, ) get answered. If the do_bit is not set
|
||
|
|
then the query is answered, and if the domain is known not to be
|
||
|
|
signed, the query is answered.
|
||
|
|
|
||
|
|
Unfortunately, if DNSSEC validation is not turned on then the
|
||
|
|
F_DNSSECOK bit is not valid, and it's always zero, so the question
|
||
|
|
always gets answered from the cache, even when the do-bit is set.
|
||
|
|
|
||
|
|
This code should look like that at line 1468, dealing with PTR queries
|
||
|
|
|
||
|
|
if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
|
||
|
|
!do_bit ||
|
||
|
|
(option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)))
|
||
|
|
|
||
|
|
where the F_DNSSECOK bit is only used when validation is enabled.
|
||
|
|
---
|
||
|
|
src/rfc1035.c | 6 ++++--
|
||
|
|
1 file changed, 4 insertions(+), 2 deletions(-)
|
||
|
|
|
||
|
|
diff --git a/src/rfc1035.c b/src/rfc1035.c
|
||
|
|
index ebb1f36..580f5ef 100644
|
||
|
|
--- a/src/rfc1035.c
|
||
|
|
+++ b/src/rfc1035.c
|
||
|
|
@@ -1663,7 +1663,9 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
|
||
|
|
}
|
||
|
|
|
||
|
|
/* If the client asked for DNSSEC don't use cached data. */
|
||
|
|
- if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !do_bit || !(crecp->flags & F_DNSSECOK))
|
||
|
|
+ if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
|
||
|
|
+ !do_bit ||
|
||
|
|
+ (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)))
|
||
|
|
do
|
||
|
|
{
|
||
|
|
/* don't answer wildcard queries with data not from /etc/hosts
|
||
|
|
@@ -1747,7 +1749,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
|
||
|
|
{
|
||
|
|
if ((crecp = cache_find_by_name(NULL, name, now, F_CNAME | (dryrun ? F_NO_RR : 0))) &&
|
||
|
|
(qtype == T_CNAME || (crecp->flags & F_CONFIG)) &&
|
||
|
|
- ((crecp->flags & F_CONFIG) || !do_bit || !(crecp->flags & F_DNSSECOK)))
|
||
|
|
+ ((crecp->flags & F_CONFIG) || !do_bit || (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK))))
|
||
|
|
{
|
||
|
|
if (!(crecp->flags & F_DNSSECOK))
|
||
|
|
sec_data = 0;
|
||
|
|
--
|
||
|
|
2.14.4
|
||
|
|
|