diff --git a/dnsmasq-2.80-dnssec.patch b/dnsmasq-2.80-dnssec.patch new file mode 100644 index 0000000..a34f46e --- /dev/null +++ b/dnsmasq-2.80-dnssec.patch @@ -0,0 +1,73 @@ +From a997ca0da044719a0ce8a232d14da8b30022592b Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Fri, 29 Jun 2018 14:39:41 +0100 +Subject: [PATCH] Fix sometimes missing DNSSEC RRs when DNSSEC validation not + enabled. + +Dnsmasq does pass on the do-bit, and return DNSSEC RRs, irrespective +of of having DNSSEC validation compiled in or enabled. + +The thing to understand here is that the cache does not store all the +DNSSEC RRs, and dnsmasq doesn't have the (very complex) logic required +to determine the set of DNSSEC RRs required in an answer. Therefore if +the client wants the DNSSEC RRs, the query can not be answered from +the cache. When DNSSEC validation is enabled, any query with the +do-bit set is never answered from the cache, unless the domain is +known not to be signed: the query is always forwarded. This ensures +that the DNSEC RRs are included. + +The same thing should be true when DNSSEC validation is not enabled, +but there's a bug in the logic. + +line 1666 of src/rfc1035.c looks like this + + if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !do_bit || !(crecp->flags & F_DNSSECOK)) + +{ ...answer from cache ... } + +So local stuff (hosts, DHCP, ) get answered. If the do_bit is not set +then the query is answered, and if the domain is known not to be +signed, the query is answered. + +Unfortunately, if DNSSEC validation is not turned on then the +F_DNSSECOK bit is not valid, and it's always zero, so the question +always gets answered from the cache, even when the do-bit is set. + +This code should look like that at line 1468, dealing with PTR queries + + if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || + !do_bit || + (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK))) + +where the F_DNSSECOK bit is only used when validation is enabled. +--- + src/rfc1035.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/rfc1035.c b/src/rfc1035.c +index ebb1f36..580f5ef 100644 +--- a/src/rfc1035.c ++++ b/src/rfc1035.c +@@ -1663,7 +1663,9 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, + } + + /* If the client asked for DNSSEC don't use cached data. */ +- if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !do_bit || !(crecp->flags & F_DNSSECOK)) ++ if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || ++ !do_bit || ++ (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK))) + do + { + /* don't answer wildcard queries with data not from /etc/hosts +@@ -1747,7 +1749,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, + { + if ((crecp = cache_find_by_name(NULL, name, now, F_CNAME | (dryrun ? F_NO_RR : 0))) && + (qtype == T_CNAME || (crecp->flags & F_CONFIG)) && +- ((crecp->flags & F_CONFIG) || !do_bit || !(crecp->flags & F_DNSSECOK))) ++ ((crecp->flags & F_CONFIG) || !do_bit || (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)))) + { + if (!(crecp->flags & F_DNSSECOK)) + sec_data = 0; +-- +2.14.4 + diff --git a/dnsmasq.spec b/dnsmasq.spec index 31a0555..9c7f40f 100644 --- a/dnsmasq.spec +++ b/dnsmasq.spec @@ -13,7 +13,7 @@ Name: dnsmasq Version: 2.79 -Release: 1%{?extraversion:.%{extraversion}}%{?dist} +Release: 2%{?extraversion:.%{extraversion}}%{?dist} Summary: A lightweight DHCP/caching DNS server License: GPLv2 or GPLv3 @@ -25,6 +25,7 @@ Source2: dnsmasq-systemd-sysusers.conf # https://bugzilla.redhat.com/show_bug.cgi?id=1495409 Patch1: dnsmasq-2.77-underflow.patch Patch3: dnsmasq-2.78-fips.patch +Patch4: dnsmasq-2.80-dnssec.patch # This is workaround to nettle bug #1549190 # https://bugzilla.redhat.com/show_bug.cgi?id=1549190 @@ -61,6 +62,7 @@ server's leases. %setup -q -n %{name}-%{version}%{?extraversion} %patch1 -p1 -b .underflow %patch3 -p1 -b .fips +%patch4 -p1 -b .dnssec # use /var/lib/dnsmasq instead of /var/lib/misc for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do @@ -159,6 +161,9 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/dnsmasq.conf %{_mandir}/man1/dhcp_* %changelog +* Mon Jul 02 2018 Petr Menšík - 2.79-2 +- Fix passing of dnssec enabled queries (#1597309) + * Thu Mar 15 2018 Petr Menšík - 2.79-1 - Rebase to 2.79 - Stop using nettle_hashes directly, use access function (#1548060)