Skip to content

D
Dnsmasq
Commit dd4ad9ac authored by Simon Kelley's avatar Simon Kelley
Browse files
Options

Tweaks to EDNS0 handling in DNS replies.

parent 2dbba34b
Show whitespace changes
Inline Side-by-side
Showing with 42 additions and 35 deletions
src/dnssec.c
View file @ dd4ad9ac
...@@ -2129,8 +2129,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch ...@@ -2129,8 +2129,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
/* Empty DS without NSECS */ /* Empty DS without NSECS */
if (qtype == T_DS) if (qtype == T_DS)
return STAT_BOGUS; return STAT_BOGUS;
else
{
rc = zone_status(name, qclass, keyname, now); rc = zone_status(name, qclass, keyname, now);
if (rc != STAT_SECURE) if (rc != STAT_SECURE)
{ {
...@@ -2141,7 +2140,6 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch ...@@ -2141,7 +2140,6 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
return STAT_BOGUS; /* signed zone, no NSECs */ return STAT_BOGUS; /* signed zone, no NSECs */
} }
}
if (nsec_type == T_NSEC) if (nsec_type == T_NSEC)
rc = prove_non_existence_nsec(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, qtype, nons); rc = prove_non_existence_nsec(header, plen, nsecs, nsec_count, daemon->workspacename, keyname, name, qtype, nons);
......
src/rfc1035.c
View file @ dd4ad9ac
...@@ -1540,6 +1540,12 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, ...@@ -1540,6 +1540,12 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
struct mx_srv_record *rec; struct mx_srv_record *rec;
size_t len; size_t len;
if (ntohs(header->ancount) != 0 ||
ntohs(header->nscount) != 0 ||
ntohs(header->qdcount) == 0 ||
OPCODE(header) != QUERY )
return 0;
/* Don't return AD set if checking disabled. */ /* Don't return AD set if checking disabled. */
if (header->hb4 & HB4_CD) if (header->hb4 & HB4_CD)
sec_data = 0; sec_data = 0;
...@@ -1548,12 +1554,15 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, ...@@ -1548,12 +1554,15 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
*ad_reqd = header->hb4 & HB4_AD; *ad_reqd = header->hb4 & HB4_AD;
*do_bit = 0; *do_bit = 0;
/* If there is an RFC2671 pseudoheader then it will be overwritten by /* If there is an additional data section then it will be overwritten by
partial replies, so we have to do a dry run to see if we can answer partial replies, so we have to do a dry run to see if we can answer
the query. We check to see if the do bit is set, if so we always the query. */
forward rather than answering from the cache, which doesn't include
security information, unless we're in DNSSEC validation mode. */ if (ntohs(header->arcount) != 0)
{
dryrun = 1;
/* If there's an additional section, there might be an EDNS(0) pseudoheader */
if (find_pseudoheader(header, qlen, NULL, &pheader, NULL)) if (find_pseudoheader(header, qlen, NULL, &pheader, NULL))
{ {
unsigned short flags; unsigned short flags;
...@@ -1568,12 +1577,8 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, ...@@ -1568,12 +1577,8 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
*do_bit = 1;/* do bit */ *do_bit = 1;/* do bit */
*ad_reqd = 1; *ad_reqd = 1;
} }
dryrun = 1;
} }
}
if (ntohs(header->qdcount) == 0 || OPCODE(header) != QUERY )
return 0;
for (rec = daemon->mxnames; rec; rec = rec->next) for (rec = daemon->mxnames; rec; rec = rec->next)
rec->offset = 0; rec->offset = 0;
...@@ -1730,8 +1735,12 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, ...@@ -1730,8 +1735,12 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
} }
else if ((crecp = cache_find_by_addr(NULL, &addr, now, is_arpa))) else if ((crecp = cache_find_by_addr(NULL, &addr, now, is_arpa)))
{ {
/* Don't use cache when DNSSEC data required. */ /* Don't use cache when DNSSEC data required, unless we know that
if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !sec_reqd || !(crecp->flags & F_DNSSECOK)) the zone is unsigned, which implies that we're doing
validation. */
if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
!sec_reqd ||
(option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)))
{ {
do do
{ {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment