Check that unsigned replies come from unsigned zones if --dnssec-check-unsigned set.

00a5b5d4 · Simon Kelley · b8eac191 · 00a5b5d4 · 00a5b5d4 · 00a5b5d4
Commit 00a5b5d4 authored Feb 28, 2014 by Simon Kelley
6 changed files
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -608,6 +608,15 @@ key(s) of the root zone,
 but trust anchors for limited domains are also possible. The current
 root-zone trust anchors may be donwloaded from https://data.iana.org/root-anchors/root-anchors.xml 
 .TP
+.B --dnssec-check-unsigned
+As a default, dnsmasq does not check that unsigned DNS replies are
+legitimate: they are assumed to be valid and passed on (without the
+"authentic data" bit set, of course). This does not protect against an
+attacker forging unsigned replies for signed DNS zones, but it is
+fast. If this flag is set, dnsmasq will check the zones of unsigned
+replies, to ensure that unsigned replies are allowed in those
+zones. The cost of this is more upstream queries and slower performance.
+.TP
 .B --proxy-dnssec
 Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clients and cache it.  This is an 
 alternative to having dnsmasq validate DNSSEC, but it depends on the security of the network between 

--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -232,7 +232,8 @@ struct event_desc {
 #define OPT_DNSSEC_VALID   45
 #define OPT_DNSSEC_PERMISS 46
 #define OPT_DNSSEC_DEBUG   47
-#define OPT_LAST           48
+#define OPT_DNSSEC_NO_SIGN 48 
+#define OPT_LAST           49

 /* extra flags for my_syslog, we use a couple of facilities since they are known 
   not to occupy the same bits as priorities, no matter how syslog.h is set up. */
@@ -535,6 +536,10 @@ struct hostsfile {
 #define STAT_NEED_KEY           5
 #define STAT_TRUNCATED          6
 #define STAT_SECURE_WILDCARD    7
+#define STAT_NO_SIG             8
+#define STAT_NO_DS              9
+#define STAT_NEED_DS_NEG       10
+#define STAT_CHASE_CNAME       11

 #define FREC_NOREBIND           1
 #define FREC_CHECKING_DISABLED  2
@@ -544,6 +549,7 @@ struct hostsfile {
 #define FREC_AD_QUESTION       32
 #define FREC_DO_QUESTION       64
 #define FREC_ADDED_PHEADER    128
+#define FREC_CHECK_NOSIGN     256

 #ifdef HAVE_DNSSEC
 #define HASH_SIZE 20 /* SHA-1 digest size */
@@ -1085,7 +1091,8 @@ int in_zone(struct auth_zone *zone, char *name, char **cut);
 size_t dnssec_generate_query(struct dns_header *header, char *end, char *name, int class, int type, union mysockaddr *addr);
 int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t n, char *name, char *keyname, int class);
 int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class);
-int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int *class);
+int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int *class, int *neganswer);
+int dnssec_chase_cname(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname);
 int dnskey_keytag(int alg, int flags, unsigned char *rdata, int rdlen);
 size_t filter_rrsigs(struct dns_header *header, size_t plen);
 unsigned char* hash_questions(struct dns_header *header, size_t plen, char *name);

--- a/src/dnssec.c
+++ b/src/dnssec.c
--- a/src/forward.c
+++ b/src/forward.c
--- a/src/option.c
+++ b/src/option.c
@@ -143,6 +143,7 @@ struct myoption {
 #define LOPT_DNSSEC_DEBUG 331
 #define LOPT_REV_SERV     332
 #define LOPT_SERVERS_FILE 333
+#define LOPT_DNSSEC_CHECK 334

 #ifdef HAVE_GETOPT_LONG
 static const struct option opts[] =  
@@ -283,6 +284,7 @@ static const struct myoption opts[] =
    { "dnssec", 0, 0, LOPT_SEC_VALID },
    { "trust-anchor", 1, 0, LOPT_TRUST_ANCHOR },
    { "dnssec-debug", 0, 0, LOPT_DNSSEC_DEBUG },
+    { "dnssec-check-unsigned", 0, 0, LOPT_DNSSEC_CHECK },
 #ifdef OPTION6_PREFIX_CLASS 
    { "dhcp-prefix-class", 1, 0, LOPT_PREF_CLSS },
 #endif
@@ -438,6 +440,7 @@ static struct {
  { LOPT_SEC_VALID, OPT_DNSSEC_VALID, NULL, gettext_noop("Activate DNSSEC validation"), NULL },
  { LOPT_TRUST_ANCHOR, ARG_DUP, "<domain>,[<class>],...", gettext_noop("Specify trust anchor key digest."), NULL },
  { LOPT_DNSSEC_DEBUG, OPT_DNSSEC_DEBUG, NULL, gettext_noop("Disable upstream checking for DNSSEC debugging."), NULL },
+  { LOPT_DNSSEC_CHECK, OPT_DNSSEC_NO_SIGN, NULL, gettext_noop("Ensure answers without DNSSEC are in unsigned zones."), NULL },
 #ifdef OPTION6_PREFIX_CLASS 
  { LOPT_PREF_CLSS, ARG_DUP, "set:tag,<class>", gettext_noop("Specify DHCPv6 prefix class"), NULL },
 #endif

--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -927,7 +927,7 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
  
  for (i = ntohs(header->qdcount); i != 0; i--)
    {
-      int found = 0, cname_count = 5;
+      int found = 0, cname_count = 10;
      struct crec *cpp = NULL;
      int flags = RCODE(header) == NXDOMAIN ? F_NXDOMAIN : 0;
      int secflag = secure ?  F_DNSSECOK : 0;