cb7c105d3c
Every query was refused because of forgotten ! from original line.
92 lines
3.5 KiB
Diff
92 lines
3.5 KiB
Diff
From bb7adef44c20e4271b0b8a6e55dac4e986c02fef Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
|
Date: Fri, 12 Apr 2019 15:29:00 +0200
|
|
Subject: [PATCH] Restore ability to answer non-recursive requests
|
|
|
|
Instead, check only local configured entries are answered without
|
|
rdbit set. All cached replies are still denied, but locally configured
|
|
names are available with both recursion and without it.
|
|
|
|
Fixes commit 4139298d287eb5c57f4aa53c459cb02fc5be2495 unintended
|
|
behaviour.
|
|
|
|
(cherry-picked from 29ae3083981ea82f535f77ea54bbd538f1224a9e)
|
|
---
|
|
src/rfc1035.c | 23 ++++++++++++++---------
|
|
1 file changed, 14 insertions(+), 9 deletions(-)
|
|
|
|
diff --git a/src/rfc1035.c b/src/rfc1035.c
|
|
index a943ecb..74befef 100644
|
|
--- a/src/rfc1035.c
|
|
+++ b/src/rfc1035.c
|
|
@@ -1273,7 +1273,11 @@ static unsigned long crec_ttl(struct crec *crecp, time_t now)
|
|
else
|
|
return daemon->max_ttl;
|
|
}
|
|
-
|
|
+
|
|
+static int cache_validated(const struct crec *crecp)
|
|
+{
|
|
+ return (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK));
|
|
+}
|
|
|
|
/* return zero if we can't answer from cache, or packet size if we can */
|
|
size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
|
|
@@ -1292,17 +1296,20 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
|
|
int nxdomain = 0, auth = 1, trunc = 0, sec_data = 1;
|
|
struct mx_srv_record *rec;
|
|
size_t len;
|
|
+ int rd_bit;
|
|
+
|
|
// Make sure we do not underflow here too.
|
|
if (qlen > (limit - ((char *)header))) return 0;
|
|
|
|
/* never answer queries with RD unset, to avoid cache snooping. */
|
|
- if (!(header->hb3 & HB3_RD) ||
|
|
- ntohs(header->ancount) != 0 ||
|
|
+ if (ntohs(header->ancount) != 0 ||
|
|
ntohs(header->nscount) != 0 ||
|
|
ntohs(header->qdcount) == 0 ||
|
|
OPCODE(header) != QUERY )
|
|
return 0;
|
|
|
|
+ rd_bit = (header->hb3 & HB3_RD);
|
|
+
|
|
/* Don't return AD set if checking disabled. */
|
|
if (header->hb4 & HB4_CD)
|
|
sec_data = 0;
|
|
@@ -1467,9 +1474,8 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
|
|
/* Don't use cache when DNSSEC data required, unless we know that
|
|
the zone is unsigned, which implies that we're doing
|
|
validation. */
|
|
- if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
|
|
- !do_bit ||
|
|
- (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)))
|
|
+ if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
|
|
+ (rd_bit && (!do_bit || cache_validated(crecp)) ))
|
|
{
|
|
do
|
|
{
|
|
@@ -1666,8 +1672,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
|
|
|
|
/* If the client asked for DNSSEC don't use cached data. */
|
|
if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
|
|
- !do_bit ||
|
|
- (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)))
|
|
+ (rd_bit && (!do_bit || cache_validated(crecp)) ))
|
|
do
|
|
{
|
|
/* don't answer wildcard queries with data not from /etc/hosts
|
|
@@ -1751,7 +1756,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
|
|
{
|
|
if ((crecp = cache_find_by_name(NULL, name, now, F_CNAME | (dryrun ? F_NO_RR : 0))) &&
|
|
(qtype == T_CNAME || (crecp->flags & F_CONFIG)) &&
|
|
- ((crecp->flags & F_CONFIG) || !do_bit || (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK))))
|
|
+ ((crecp->flags & F_CONFIG) || (rd_bit && (!do_bit || (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK))))))
|
|
{
|
|
if (!(crecp->flags & F_DNSSECOK))
|
|
sec_data = 0;
|
|
--
|
|
2.21.1
|
|
|