Better handling of truncated DNSSEC replies.

5d3b87a4 · Simon Kelley · 72ae2f3d · 5d3b87a4 · 5d3b87a4
Commit 5d3b87a4 authored Jan 20, 2014 by Simon Kelley
Show whitespace changes
Inline Side-by-side

Showing with 14 additions and 13 deletions

src/dnsmasq.h src/dnsmasq.h +1 -0

src/forward.c src/forward.c +13 -13

No files found.
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -519,6 +519,7 @@ struct hostsfile {
 #define STAT_BOGUS              3
 #define STAT_NEED_DS            4
 #define STAT_NEED_KEY           5
+#define STAT_TRUNCATED          6
 #define FREC_NOREBIND           1
 #define FREC_CHECKING_DISABLED  2

--- a/src/forward.c
+++ b/src/forward.c
@@ -751,14 +751,11 @@ void reply_query(int fd, int family, time_t now)
 	  if (header->hb3 & HB3_TC)
 	    {
 	      /* Truncated answer can't be validated.
-		 The client will retry over TCP, but if this is an answer to a 
+		 If this is an answer to a DNSSEC-generated query, we still
-		 DNSSEC-generated query, we have a problem. Should really re-send
+		 need to get the client to retry over TCP, so return
-		 over TCP. No-one with any sense will make a DNSKEY or DS RRset
+		 an answer with the TC bit set, even if the actual answer fits.
-		 exceed 4096, so this may not be a real problem. Just log 
+	      */
-		 for now. */
+	      status = STAT_TRUNCATED;
-	      if (forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY))
-		my_syslog(LOG_ERR, _("Reply to DNSSEC query truncated - validation fails."));
-	      status = STAT_INSECURE;
 	    }
 	  else if (forward->flags & FREC_DNSKEY_QUERY)
 	    status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);		      
@@ -892,6 +889,9 @@ void reply_query(int fd, int family, time_t now)
 		}
 	    }
+	  if (status == STAT_TRUNCATED)
+	     header->hb3 |= HB3_TC;
+	  else
 	    log_query(F_KEYTAG | F_SECSTAT, "result", NULL, 
 		      status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));