Fix DNSSEC passtrough
This commit is contained in:
Petr Menšík
parent
41e404dd4c
commit
db0bc30a48
73
dnsmasq-2.80-dnssec.patch
Normal file
73
dnsmasq-2.80-dnssec.patch
Normal file
@ -0,0 +1,73 @@
|
||||
From a997ca0da044719a0ce8a232d14da8b30022592b Mon Sep 17 00:00:00 2001
|
||||
From: Simon Kelley <simon@thekelleys.org.uk>
|
||||
Date: Fri, 29 Jun 2018 14:39:41 +0100
|
||||
Subject: [PATCH] Fix sometimes missing DNSSEC RRs when DNSSEC validation not
|
||||
enabled.
|
||||
|
||||
Dnsmasq does pass on the do-bit, and return DNSSEC RRs, irrespective
|
||||
of of having DNSSEC validation compiled in or enabled.
|
||||
|
||||
The thing to understand here is that the cache does not store all the
|
||||
DNSSEC RRs, and dnsmasq doesn't have the (very complex) logic required
|
||||
to determine the set of DNSSEC RRs required in an answer. Therefore if
|
||||
the client wants the DNSSEC RRs, the query can not be answered from
|
||||
the cache. When DNSSEC validation is enabled, any query with the
|
||||
do-bit set is never answered from the cache, unless the domain is
|
||||
known not to be signed: the query is always forwarded. This ensures
|
||||
that the DNSEC RRs are included.
|
||||
|
||||
The same thing should be true when DNSSEC validation is not enabled,
|
||||
but there's a bug in the logic.
|
||||
|
||||
line 1666 of src/rfc1035.c looks like this
|
||||
|
||||
if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !do_bit || !(crecp->flags & F_DNSSECOK))
|
||||
|
||||
{ ...answer from cache ... }
|
||||
|
||||
So local stuff (hosts, DHCP, ) get answered. If the do_bit is not set
|
||||
then the query is answered, and if the domain is known not to be
|
||||
signed, the query is answered.
|
||||
|
||||
Unfortunately, if DNSSEC validation is not turned on then the
|
||||
F_DNSSECOK bit is not valid, and it's always zero, so the question
|
||||
always gets answered from the cache, even when the do-bit is set.
|
||||
|
||||
This code should look like that at line 1468, dealing with PTR queries
|
||||
|
||||
if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
|
||||
!do_bit ||
|
||||
(option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)))
|
||||
|
||||
where the F_DNSSECOK bit is only used when validation is enabled.
|
||||
---
|
||||
src/rfc1035.c | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/rfc1035.c b/src/rfc1035.c
|
||||
index ebb1f36..580f5ef 100644
|
||||
--- a/src/rfc1035.c
|
||||
+++ b/src/rfc1035.c
|
||||
@@ -1663,7 +1663,9 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
|
||||
}
|
||||
|
||||
/* If the client asked for DNSSEC don't use cached data. */
|
||||
- if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !do_bit || !(crecp->flags & F_DNSSECOK))
|
||||
+ if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
|
||||
+ !do_bit ||
|
||||
+ (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)))
|
||||
do
|
||||
{
|
||||
/* don't answer wildcard queries with data not from /etc/hosts
|
||||
@@ -1747,7 +1749,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
|
||||
{
|
||||
if ((crecp = cache_find_by_name(NULL, name, now, F_CNAME | (dryrun ? F_NO_RR : 0))) &&
|
||||
(qtype == T_CNAME || (crecp->flags & F_CONFIG)) &&
|
||||
- ((crecp->flags & F_CONFIG) || !do_bit || !(crecp->flags & F_DNSSECOK)))
|
||||
+ ((crecp->flags & F_CONFIG) || !do_bit || (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK))))
|
||||
{
|
||||
if (!(crecp->flags & F_DNSSECOK))
|
||||
sec_data = 0;
|
||||
--
|
||||
2.14.4
|
||||
|
||||
@ -13,7 +13,7 @@
|
||||
|
||||
Name: dnsmasq
|
||||
Version: 2.79
|
||||
Release: 1%{?extraversion:.%{extraversion}}%{?dist}
|
||||
Release: 2%{?extraversion:.%{extraversion}}%{?dist}
|
||||
Summary: A lightweight DHCP/caching DNS server
|
||||
|
||||
License: GPLv2 or GPLv3
|
||||
@ -25,6 +25,7 @@ Source2: dnsmasq-systemd-sysusers.conf
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1495409
|
||||
Patch1: dnsmasq-2.77-underflow.patch
|
||||
Patch3: dnsmasq-2.78-fips.patch
|
||||
Patch4: dnsmasq-2.80-dnssec.patch
|
||||
|
||||
# This is workaround to nettle bug #1549190
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1549190
|
||||
@ -61,6 +62,7 @@ server's leases.
|
||||
%setup -q -n %{name}-%{version}%{?extraversion}
|
||||
%patch1 -p1 -b .underflow
|
||||
%patch3 -p1 -b .fips
|
||||
%patch4 -p1 -b .dnssec
|
||||
|
||||
# use /var/lib/dnsmasq instead of /var/lib/misc
|
||||
for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do
|
||||
@ -159,6 +161,9 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/dnsmasq.conf
|
||||
%{_mandir}/man1/dhcp_*
|
||||
|
||||
%changelog
|
||||
* Mon Jul 02 2018 Petr Menšík <pemensik@redhat.com> - 2.79-2
|
||||
- Fix passing of dnssec enabled queries (#1597309)
|
||||
|
||||
* Thu Mar 15 2018 Petr Menšík <pemensik@redhat.com> - 2.79-1
|
||||
- Rebase to 2.79
|
||||
- Stop using nettle_hashes directly, use access function (#1548060)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user