Respond to any local name also withou rd bit set (#1647464)

2020-03-10 15:57:18 +01:00 · 2020-03-10 15:57:18 +01:00 · 0461a69019
commit 0461a69019
parent c8684b8c32
2 changed files with 97 additions and 1 deletions
--- a/dnsmasq-2.81-restore-ability-to-answer-non-recursive-requests.patch
+++ b/dnsmasq-2.81-restore-ability-to-answer-non-recursive-requests.patch
@ -0,0 +1,91 @@
 From d070ba529bf3be2c6c1e2fe52120820cc83ced68 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Fri, 12 Apr 2019 15:29:00 +0200
 Subject: [PATCH] Restore ability to answer non-recursive requests
 Instead, check only local configured entries are answered without
 rdbit set. All cached replies are still denied, but locally configured
 names are available with both recursion and without it.
 Fixes commit 4139298d287eb5c57f4aa53c459cb02fc5be2495 unintended
 behaviour.
 (cherry-picked from 29ae3083981ea82f535f77ea54bbd538f1224a9e)
 ---
 src/rfc1035.c | 23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)
 diff --git a/src/rfc1035.c b/src/rfc1035.c
 index a943ecb..efc7009 100644
 --- a/src/rfc1035.c
 +++ b/src/rfc1035.c
@@ -1273,7 +1273,11 @@ static unsigned long crec_ttl(struct crec *crecp, time_t now)
   else
     return daemon->max_ttl;
 }
 -  
 +
 +static int cache_validated(const struct crec *crecp)
 +{
 +  return (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK));
 +}
 /* return zero if we can't answer from cache, or packet size if we can */
 size_t answer_request(struct dns_header *header, char *limit, size_t qlen,  
@@ -1292,17 +1296,20 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
   int nxdomain = 0, auth = 1, trunc = 0, sec_data = 1;
   struct mx_srv_record *rec;
   size_t len;
 +  int rd_bit;
 +
   // Make sure we do not underflow here too.
   if (qlen > (limit - ((char *)header))) return 0;
   /* never answer queries with RD unset, to avoid cache snooping. */
 -  if (!(header->hb3 & HB3_RD) ||
 -      ntohs(header->ancount) != 0 ||
 +  if (!ntohs(header->ancount) != 0 ||
       ntohs(header->nscount) != 0 ||
       ntohs(header->qdcount) == 0 || 
       OPCODE(header) != QUERY )
     return 0;
 +  rd_bit = (header->hb3 & HB3_RD);
 +
   /* Don't return AD set if checking disabled. */
   if (header->hb4 & HB4_CD)
     sec_data = 0;
@@ -1467,9 +1474,8 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 		  /* Don't use cache when DNSSEC data required, unless we know that
 		     the zone is unsigned, which implies that we're doing
 		     validation. */
 -		  if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || 
 -		      !do_bit || 
 -		      (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)))
 +		  if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
 +		      (rd_bit && (!do_bit || cache_validated(crecp)) ))
 		    {
 		      do 
 			{ 
@@ -1666,8 +1672,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 		  /* If the client asked for DNSSEC  don't use cached data. */
 		  if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
 -		      !do_bit ||
 -		      (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)))
 +		      (rd_bit && (!do_bit || cache_validated(crecp)) ))
 		    do
 		      { 
 			/* don't answer wildcard queries with data not from /etc/hosts
@@ -1751,7 +1756,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 	    {
 	      if ((crecp = cache_find_by_name(NULL, name, now, F_CNAME | (dryrun ? F_NO_RR : 0))) &&
 		  (qtype == T_CNAME || (crecp->flags & F_CONFIG)) &&
 -		  ((crecp->flags & F_CONFIG) || !do_bit || (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK))))
 +		  ((crecp->flags & F_CONFIG) || (rd_bit && (!do_bit || (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK))))))
 		{
 		  if (!(crecp->flags & F_DNSSECOK))
 		    sec_data = 0;
 -- 
 2.21.1
--- a/dnsmasq.spec
+++ b/dnsmasq.spec
@ -13,7 +13,7 @@
 Name:           dnsmasq
 Version:        2.80
-Release:        12%{?extraversion:.%{extraversion}}%{?dist}
+Release:        13%{?extraversion:.%{extraversion}}%{?dist}
 Summary:        A lightweight DHCP/caching DNS server
 License:        GPLv2 or GPLv3
@ -43,6 +43,8 @@ Patch12:        dnsmasq-2.81-Extend-79aba0f10ad0157fb4f48afbbcb03f094caff97a.pat
 Patch13:        dnsmasq-2.81-adjust-changes-to-version-2.80.patch
 # http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=52ec7836139e7a11374971905e5ac0d2d02e32c0
 Patch14:        dnsmasq-2.81-tag-filtering-of-dhcp-host-directives.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1647464
 Patch15:        dnsmasq-2.81-restore-ability-to-answer-non-recursive-requests.patch
 # This is workaround to nettle bug #1549190
 # https://bugzilla.redhat.com/show_bug.cgi?id=1549190
@ -175,6 +177,9 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}.conf
 %{_mandir}/man1/dhcp_*
 %changelog
 * Tue Mar 10 2020 Petr Menšík <pemensik@redhat.com> - 2.80-13
 - Respond to any local name also withou rd bit set (#1647464)
 * Wed Mar 04 2020 Petr Menšík <pemensik@redhat.com> - 2.80-12
 - Support multiple static leases for single mac on IPv6 (#1810172)