RRSIGS for PTR records from cache.

2d33bda2 · Simon Kelley · 32f90c0f · 2d33bda2 · 2d33bda2 · 2d33bda2
Commit 2d33bda2 authored Jan 24, 2014 by Simon Kelley
Hide whitespace changes
Inline Side-by-side

Showing with 72 additions and 37 deletions

src/cache.c src/cache.c +1 -1

src/dnssec.c src/dnssec.c +1 -1

src/rfc1035.c src/rfc1035.c +70 -35

No files found.
--- a/src/cache.c
+++ b/src/cache.c
@@ -1255,7 +1255,7 @@ void dump_cache(time_t now)
 	  {
 	    char *a = daemon->addrbuff, *p = daemon->namebuff, *n = cache_get_name(cache);
 	    *a = 0;
-	    if (strlen(n) == 0)
+	    if (strlen(n) == 0 && !(cache->flags & F_REVERSE))
 	      n = "<Root>";
 	    p += sprintf(p, "%-40.40s ", n);
 	    if ((cache->flags & F_CNAME) && !is_outdated_cname_pointer(cache))

--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -581,7 +581,7 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
 		   /* If it's a type we're going to cache, cache the RRISG too */
 		   if (type_covered == T_A || type_covered == T_AAAA ||
 		       type_covered == T_CNAME || type_covered == T_DS || 
-		       type_covered == T_DNSKEY) 
+		       type_covered == T_DNSKEY || type_covered == T_PTR) 
 		     {
 		       struct all_addr a;
 		       struct blockdata *block;

--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -984,6 +984,7 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
 			{
 			  if (!cname_count--)
 			    return 0; /* looped CNAMES */
+			  secflag = 0; /* no longer DNSSEC */
 			  goto cname_loop;
 			}
@@ -1708,41 +1709,75 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 		    }
 		}
 	      else if ((crecp = cache_find_by_addr(NULL, &addr, now, is_arpa)))
-		do 
+		{
-		  { 
+#ifdef HAVE_DNSSEC
-		    /* don't answer wildcard queries with data not from /etc/hosts or dhcp leases */
+		  if (!(crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) && 
-		    if (qtype == T_ANY && !(crecp->flags & (F_HOSTS | F_DHCP)))
+		      (crecp->flags & F_DNSSECOK) &&
-		      continue;
+		      !(crecp->flags & F_NEG) && 
+		      sec_reqd &&
-		    if (!(crecp->flags & F_DNSSECOK))
+		      option_bool(OPT_DNSSEC_VALID))
-		      sec_data = 0;
+		    {
+		      int gotsig = 0;
-		    if (crecp->flags & F_NEG)
-		      {
+		      crecp = NULL;
-			ans = 1;
+		      while ((crecp = cache_find_by_name(crecp, name, now, F_DS | F_DNSKEY)))
-			auth = 0;
+			{
-			if (crecp->flags & F_NXDOMAIN)
+			  if (crecp->addr.sig.type_covered == T_PTR && crecp->uid == C_IN)
-			  nxdomain = 1;
+			    {
-			if (!dryrun)
+			      char *sigdata = blockdata_retrieve(crecp->addr.sig.keydata, crecp->addr.sig.keylen, NULL);
-			  log_query(crecp->flags & ~F_FORWARD, name, &addr, NULL);
+			      gotsig = 1;
-		      }
-		    else if ((crecp->flags & (F_HOSTS | F_DHCP)) || !sec_reqd || option_bool(OPT_DNSSEC_VALID))
+			      if (!dryrun && 
-		      {
+				  add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
-			ans = 1;
+						      crecp->ttd - now, &nameoffset,
-			if (!(crecp->flags & (F_HOSTS | F_DHCP)))
+						      T_RRSIG, C_IN, "t", crecp->addr.sig.keylen, sigdata))
-			  auth = 0;
+				anscount++;
-			if (!dryrun)
+			    }
-			  {
+			} 
-			    log_query(crecp->flags & ~F_FORWARD, cache_get_name(crecp), &addr, 
+		      /* Need to re-run original cache search */
-				      record_source(crecp->uid));
+		      crecp = gotsig ? cache_find_by_addr(NULL, &addr, now, is_arpa) : NULL;
+		    }
-			    if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
+#endif
-						    crec_ttl(crecp, now), NULL,
-						    T_PTR, C_IN, "d", cache_get_name(crecp)))
+		  if (crecp)
-			      anscount++;
+		    {
-			  }
+		      do 
-		      }
+			{ 
-		  } while ((crecp = cache_find_by_addr(crecp, &addr, now, is_arpa)));
+			  /* don't answer wildcard queries with data not from /etc/hosts or dhcp leases */
+			  if (qtype == T_ANY && !(crecp->flags & (F_HOSTS | F_DHCP)))
+			    continue;
+			  if (!(crecp->flags & F_DNSSECOK))
+			    sec_data = 0;
+			  if (crecp->flags & F_NEG)
+			    {
+			      ans = 1;
+			      auth = 0;
+			      if (crecp->flags & F_NXDOMAIN)
+				nxdomain = 1;
+			      if (!dryrun)
+				log_query(crecp->flags & ~F_FORWARD, name, &addr, NULL);
+			    }
+			  else if ((crecp->flags & (F_HOSTS | F_DHCP)) || !sec_reqd || option_bool(OPT_DNSSEC_VALID))
+			    {
+			      ans = 1;
+			      if (!(crecp->flags & (F_HOSTS | F_DHCP)))
+				auth = 0;
+			      if (!dryrun)
+				{
+				  log_query(crecp->flags & ~F_FORWARD, cache_get_name(crecp), &addr, 
+					    record_source(crecp->uid));
+				  if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
+							  crec_ttl(crecp, now), NULL,
+							  T_PTR, C_IN, "d", cache_get_name(crecp)))
+				    anscount++;
+				}
+			    }
+			} while ((crecp = cache_find_by_addr(crecp, &addr, now, is_arpa)));
+		    }
+		}
 	      else if (is_rev_synth(is_arpa, &addr, name))
 		{
 		  ans = 1;