mirror of
https://github.com/NLnetLabs/unbound.git
synced 2024-09-21 06:37:08 +00:00
Merge branch 'master' into cachedb-no-store
This commit is contained in:
commit
18ebe165ba
@ -543,6 +543,8 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,
|
||||
edns->udp_size = EDNS_ADVERTISED_SIZE;
|
||||
edns->ext_rcode = 0;
|
||||
edns->bits &= EDNS_DO;
|
||||
if(worker->env.cfg->disable_edns_do && (edns->bits & EDNS_DO))
|
||||
edns->edns_present = 0;
|
||||
if(!inplace_cb_reply_cache_call(&worker->env, qinfo, NULL, msg->rep,
|
||||
(int)(flags&LDNS_RCODE_MASK), edns, repinfo, worker->scratchpad,
|
||||
worker->env.now_tv))
|
||||
@ -703,6 +705,8 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
|
||||
edns->udp_size = EDNS_ADVERTISED_SIZE;
|
||||
edns->ext_rcode = 0;
|
||||
edns->bits &= EDNS_DO;
|
||||
if(worker->env.cfg->disable_edns_do && (edns->bits & EDNS_DO))
|
||||
edns->edns_present = 0;
|
||||
if(!inplace_cb_reply_servfail_call(&worker->env, qinfo, NULL, rep,
|
||||
LDNS_RCODE_SERVFAIL, edns, repinfo, worker->scratchpad,
|
||||
worker->env.now_tv))
|
||||
@ -743,6 +747,8 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
|
||||
edns->udp_size = EDNS_ADVERTISED_SIZE;
|
||||
edns->ext_rcode = 0;
|
||||
edns->bits &= EDNS_DO;
|
||||
if(worker->env.cfg->disable_edns_do && (edns->bits & EDNS_DO))
|
||||
edns->edns_present = 0;
|
||||
*alias_rrset = NULL; /* avoid confusion if caller set it to non-NULL */
|
||||
if((worker->daemon->use_response_ip || worker->daemon->use_rpz) &&
|
||||
!partial_rep && !apply_respip_action(worker, qinfo, cinfo, rep,
|
||||
|
@ -1,3 +1,12 @@
|
||||
12 October 2023: Wouter
|
||||
- Merge #944: Disable EDNS DO.
|
||||
Disable the EDNS DO flag in upstream requests. This can be helpful
|
||||
for devices that cannot handle DNSSEC information. But it should not
|
||||
be enabled otherwise, because that would stop DNSSEC validation. The
|
||||
DNSSEC validation would not work for Unbound itself, and also not
|
||||
for downstream users. Default is no. The option
|
||||
is disable-edns-do: no
|
||||
|
||||
11 October 2023: George
|
||||
- Fix #850: [FR] Ability to use specific database in Redis, with new
|
||||
redis-logical-db configuration option.
|
||||
|
@ -683,6 +683,11 @@ server:
|
||||
# that set CD but cannot validate themselves.
|
||||
# ignore-cd-flag: no
|
||||
|
||||
# Disable the DO flag in outgoing requests. It is helpful for upstream
|
||||
# devices that cannot handle DNSSEC information. But do not enable it
|
||||
# otherwise, because it would stop DNSSEC validation.
|
||||
# disable-edns-do: no
|
||||
|
||||
# Serve expired responses from cache, with serve-expired-reply-ttl in
|
||||
# the response, and then attempt to fetch the data afresh.
|
||||
# serve-expired: no
|
||||
|
@ -1302,6 +1302,20 @@ servers that set the CD flag but cannot validate DNSSEC themselves are
|
||||
the clients, and then Unbound provides them with DNSSEC protection.
|
||||
The default value is "no".
|
||||
.TP
|
||||
.B disable\-edns\-do: \fI<yes or no>
|
||||
Disable the EDNS DO flag in upstream requests.
|
||||
It breaks DNSSEC validation for Unbound's clients.
|
||||
This results in the upstream name servers to not include DNSSEC records in
|
||||
their replies and could be helpful for devices that cannot handle DNSSEC
|
||||
information.
|
||||
When the option is enabled, clients that set the DO flag receive no EDNS
|
||||
record in the response to indicate the lack of support to them.
|
||||
If this option is enabled but Unbound is already configured for DNSSEC
|
||||
validation (i.e., the validator module is enabled; default) this option is
|
||||
implicitly turned off with a warning as to not break DNSSEC validation in
|
||||
Unbound.
|
||||
Default is no.
|
||||
.TP
|
||||
.B serve\-expired: \fI<yes or no>
|
||||
If enabled, Unbound attempts to serve old responses from cache with a
|
||||
TTL of \fBserve\-expired\-reply\-ttl\fR in the response without waiting for the
|
||||
|
@ -2875,7 +2875,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
/* unset CD if to forwarder(RD set) and not dnssec retry
|
||||
* (blacklist nonempty) and no trust-anchors are configured
|
||||
* above the qname or on the first attempt when dnssec is on */
|
||||
EDNS_DO| ((iq->chase_to_rd||(iq->chase_flags&BIT_RD)!=0)&&
|
||||
(qstate->env->cfg->disable_edns_do?0:EDNS_DO)|
|
||||
((iq->chase_to_rd||(iq->chase_flags&BIT_RD)!=0)&&
|
||||
!qstate->blacklist&&(!iter_qname_indicates_dnssec(qstate->env,
|
||||
&iq->qinfo_out)||target->attempts==1)?0:BIT_CD),
|
||||
iq->dnssec_expected, iq->caps_fallback || is_caps_whitelisted(
|
||||
|
@ -1197,6 +1197,8 @@ mesh_do_callback(struct mesh_state* m, int rcode, struct reply_info* rep,
|
||||
r->edns.udp_size = EDNS_ADVERTISED_SIZE;
|
||||
r->edns.ext_rcode = 0;
|
||||
r->edns.bits &= EDNS_DO;
|
||||
if(m->s.env->cfg->disable_edns_do && (r->edns.bits&EDNS_DO))
|
||||
r->edns.edns_present = 0;
|
||||
|
||||
if(!inplace_cb_reply_call(m->s.env, &m->s.qinfo, &m->s, rep,
|
||||
LDNS_RCODE_NOERROR, &r->edns, NULL, m->s.region, start_time) ||
|
||||
@ -1372,6 +1374,8 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
|
||||
r->edns.udp_size = EDNS_ADVERTISED_SIZE;
|
||||
r->edns.ext_rcode = 0;
|
||||
r->edns.bits &= EDNS_DO;
|
||||
if(m->s.env->cfg->disable_edns_do && (r->edns.bits&EDNS_DO))
|
||||
r->edns.edns_present = 0;
|
||||
m->s.qinfo.qname = r->qname;
|
||||
m->s.qinfo.local_alias = r->local_alias;
|
||||
|
||||
|
@ -707,6 +707,23 @@ morechecks(struct config_file* cfg)
|
||||
cfg->auto_trust_anchor_file_list, cfg->chrootdir, cfg);
|
||||
check_chroot_filelist_wild("trusted-keys-file",
|
||||
cfg->trusted_keys_file_list, cfg->chrootdir, cfg);
|
||||
if(cfg->disable_edns_do && strstr(cfg->module_conf, "validator")
|
||||
&& (cfg->trust_anchor_file_list
|
||||
|| cfg->trust_anchor_list
|
||||
|| cfg->auto_trust_anchor_file_list
|
||||
|| cfg->trusted_keys_file_list)) {
|
||||
char* key = NULL;
|
||||
if(cfg->auto_trust_anchor_file_list)
|
||||
key = cfg->auto_trust_anchor_file_list->str;
|
||||
if(!key && cfg->trust_anchor_file_list)
|
||||
key = cfg->trust_anchor_file_list->str;
|
||||
if(!key && cfg->trust_anchor_list)
|
||||
key = cfg->trust_anchor_list->str;
|
||||
if(!key && cfg->trusted_keys_file_list)
|
||||
key = cfg->trusted_keys_file_list->str;
|
||||
if(!key) key = "";
|
||||
fatal_exit("disable-edns-do does not allow DNSSEC to work, but the validator module uses a trust anchor %s, turn off disable-edns-do or disable validation", key);
|
||||
}
|
||||
#ifdef USE_IPSECMOD
|
||||
if(cfg->ipsecmod_enabled && strstr(cfg->module_conf, "ipsecmod")) {
|
||||
/* only check hook if enabled */
|
||||
|
@ -1249,7 +1249,7 @@ struct serviced_query* outnet_serviced_query(struct outside_network* outnet,
|
||||
edns.edns_version = EDNS_ADVERTISED_VERSION;
|
||||
edns.udp_size = EDNS_ADVERTISED_SIZE;
|
||||
edns.bits = 0;
|
||||
if(dnssec)
|
||||
if((dnssec & EDNS_DO))
|
||||
edns.bits = EDNS_DO;
|
||||
edns.padding_block_size = 0;
|
||||
edns.cookie_present = 0;
|
||||
|
164
testdata/disable_edns_do.rpl
vendored
Normal file
164
testdata/disable_edns_do.rpl
vendored
Normal file
@ -0,0 +1,164 @@
|
||||
; config options
|
||||
; The island of trust is at example.com
|
||||
server:
|
||||
target-fetch-policy: "0 0 0 0 0"
|
||||
qname-minimisation: "no"
|
||||
trust-anchor-signaling: no
|
||||
minimal-responses: no
|
||||
disable-edns-do: yes
|
||||
|
||||
stub-zone:
|
||||
name: "."
|
||||
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
|
||||
CONFIG_END
|
||||
|
||||
SCENARIO_BEGIN Test lookup with disable-edns-do
|
||||
|
||||
; K.ROOT-SERVERS.NET.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 193.0.14.129
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
. IN NS
|
||||
SECTION ANSWER
|
||||
. IN NS K.ROOT-SERVERS.NET.
|
||||
SECTION ADDITIONAL
|
||||
K.ROOT-SERVERS.NET. IN A 193.0.14.129
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION AUTHORITY
|
||||
com. IN NS a.gtld-servers.net.
|
||||
SECTION ADDITIONAL
|
||||
a.gtld-servers.net. IN A 192.5.6.30
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; a.gtld-servers.net.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 192.5.6.30
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
com. IN NS
|
||||
SECTION ANSWER
|
||||
com. IN NS a.gtld-servers.net.
|
||||
SECTION ADDITIONAL
|
||||
a.gtld-servers.net. IN A 192.5.6.30
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; ns.example.com.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 1.2.3.4
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. IN NS
|
||||
SECTION ANSWER
|
||||
example.com. IN NS ns.example.com.
|
||||
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
|
||||
ENTRY_END
|
||||
|
||||
; response to DNSKEY priming query
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. IN DNSKEY
|
||||
SECTION ANSWER
|
||||
example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
|
||||
example.com. 3600 IN RRSIG DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
|
||||
ENTRY_END
|
||||
|
||||
; response to query of interest, when sent with EDNS DO
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname DO
|
||||
ADJUST copy_id
|
||||
REPLY QR AA DO NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. IN A 10.20.30.40
|
||||
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854}
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854}
|
||||
ENTRY_END
|
||||
|
||||
; response to query of interest, when sent without DO
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. IN A 10.20.30.40
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
STEP 1 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD DO
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
; recursion happens here.
|
||||
STEP 10 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. IN A 10.20.30.40
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
SCENARIO_END
|
@ -271,6 +271,7 @@ config_create(void)
|
||||
cfg->val_permissive_mode = 0;
|
||||
cfg->aggressive_nsec = 1;
|
||||
cfg->ignore_cd = 0;
|
||||
cfg->disable_edns_do = 0;
|
||||
cfg->serve_expired = 0;
|
||||
cfg->serve_expired_ttl = 0;
|
||||
cfg->serve_expired_ttl_reset = 0;
|
||||
@ -692,6 +693,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
|
||||
else S_YNO("val-permissive-mode:", val_permissive_mode)
|
||||
else S_YNO("aggressive-nsec:", aggressive_nsec)
|
||||
else S_YNO("ignore-cd-flag:", ignore_cd)
|
||||
else S_YNO("disable-edns-do:", disable_edns_do)
|
||||
else if(strcmp(opt, "serve-expired:") == 0)
|
||||
{ IS_YES_OR_NO; cfg->serve_expired = (strcmp(val, "yes") == 0);
|
||||
SERVE_EXPIRED = cfg->serve_expired; }
|
||||
@ -1154,6 +1156,7 @@ config_get_option(struct config_file* cfg, const char* opt,
|
||||
else O_YNO(opt, "val-permissive-mode", val_permissive_mode)
|
||||
else O_YNO(opt, "aggressive-nsec", aggressive_nsec)
|
||||
else O_YNO(opt, "ignore-cd-flag", ignore_cd)
|
||||
else O_YNO(opt, "disable-edns-do", disable_edns_do)
|
||||
else O_YNO(opt, "serve-expired", serve_expired)
|
||||
else O_DEC(opt, "serve-expired-ttl", serve_expired_ttl)
|
||||
else O_YNO(opt, "serve-expired-ttl-reset", serve_expired_ttl_reset)
|
||||
|
@ -409,6 +409,8 @@ struct config_file {
|
||||
int aggressive_nsec;
|
||||
/** ignore the CD flag in incoming queries and refuse them bogus data */
|
||||
int ignore_cd;
|
||||
/** disable EDNS DO flag in outgoing requests */
|
||||
int disable_edns_do;
|
||||
/** serve expired entries and prefetch them */
|
||||
int serve_expired;
|
||||
/** serve expired entries until TTL after expiration */
|
||||
|
@ -403,6 +403,7 @@ val-clean-additional{COLON} { YDVAR(1, VAR_VAL_CLEAN_ADDITIONAL) }
|
||||
val-permissive-mode{COLON} { YDVAR(1, VAR_VAL_PERMISSIVE_MODE) }
|
||||
aggressive-nsec{COLON} { YDVAR(1, VAR_AGGRESSIVE_NSEC) }
|
||||
ignore-cd-flag{COLON} { YDVAR(1, VAR_IGNORE_CD_FLAG) }
|
||||
disable-edns-do{COLON} { YDVAR(1, VAR_DISABLE_EDNS_DO) }
|
||||
serve-expired{COLON} { YDVAR(1, VAR_SERVE_EXPIRED) }
|
||||
serve-expired-ttl{COLON} { YDVAR(1, VAR_SERVE_EXPIRED_TTL) }
|
||||
serve-expired-ttl-reset{COLON} { YDVAR(1, VAR_SERVE_EXPIRED_TTL_RESET) }
|
||||
|
@ -199,7 +199,7 @@ extern struct config_parser_state* cfg_parser;
|
||||
%token VAR_INTERFACE_ACTION VAR_INTERFACE_VIEW VAR_INTERFACE_TAG
|
||||
%token VAR_INTERFACE_TAG_ACTION VAR_INTERFACE_TAG_DATA
|
||||
%token VAR_PROXY_PROTOCOL_PORT VAR_STATISTICS_INHIBIT_ZERO
|
||||
%token VAR_HARDEN_UNKNOWN_ADDITIONAL VAR_CACHEDB_NO_STORE
|
||||
%token VAR_HARDEN_UNKNOWN_ADDITIONAL VAR_DISABLE_EDNS_DO VAR_CACHEDB_NO_STORE
|
||||
|
||||
%%
|
||||
toplevelvars: /* empty */ | toplevelvars toplevelvar ;
|
||||
@ -333,7 +333,7 @@ content_server: server_num_threads | server_verbosity | server_port |
|
||||
server_tcp_reuse_timeout | server_tcp_auth_query_timeout |
|
||||
server_interface_automatic_ports | server_ede |
|
||||
server_proxy_protocol_port | server_statistics_inhibit_zero |
|
||||
server_harden_unknown_additional
|
||||
server_harden_unknown_additional | server_disable_edns_do
|
||||
;
|
||||
stubstart: VAR_STUB_ZONE
|
||||
{
|
||||
@ -2061,6 +2061,15 @@ server_ignore_cd_flag: VAR_IGNORE_CD_FLAG STRING_ARG
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
server_disable_edns_do: VAR_DISABLE_EDNS_DO STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_disable_edns_do:%s)\n", $2));
|
||||
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
|
||||
yyerror("expected yes or no.");
|
||||
else cfg_parser->cfg->disable_edns_do = (strcmp($2, "yes")==0);
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
server_serve_expired: VAR_SERVE_EXPIRED STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_serve_expired:%s)\n", $2));
|
||||
|
@ -1012,8 +1012,10 @@ reply_info_answer_encode(struct query_info* qinf, struct reply_info* rep,
|
||||
ede_size = calc_ede_option_size(edns, &ede_txt_size);
|
||||
if(sldns_buffer_capacity(pkt) < udpsize)
|
||||
udpsize = sldns_buffer_capacity(pkt);
|
||||
if(!edns || !edns->edns_present) {
|
||||
attach_edns = 0;
|
||||
/* EDEs are optional, try to fit anything else before them */
|
||||
if(udpsize < LDNS_HEADER_SIZE + edns_field_size - ede_size) {
|
||||
} else if(udpsize < LDNS_HEADER_SIZE + edns_field_size - ede_size) {
|
||||
/* packet too small to contain edns, omit it. */
|
||||
attach_edns = 0;
|
||||
} else {
|
||||
|
@ -1322,3 +1322,24 @@ anchor_has_keytag(struct val_anchors* anchors, uint8_t* name, int namelabs,
|
||||
free(taglist);
|
||||
return 0;
|
||||
}
|
||||
|
||||
struct trust_anchor*
|
||||
anchors_find_any_noninsecure(struct val_anchors* anchors)
|
||||
{
|
||||
struct trust_anchor* ta, *next;
|
||||
lock_basic_lock(&anchors->lock);
|
||||
ta=(struct trust_anchor*)rbtree_first(anchors->tree);
|
||||
while((rbnode_type*)ta != RBTREE_NULL) {
|
||||
next = (struct trust_anchor*)rbtree_next(&ta->node);
|
||||
lock_basic_lock(&ta->lock);
|
||||
if(ta->numDS != 0 || ta->numDNSKEY != 0) {
|
||||
/* not an insecurepoint */
|
||||
lock_basic_unlock(&anchors->lock);
|
||||
return ta;
|
||||
}
|
||||
lock_basic_unlock(&ta->lock);
|
||||
ta = next;
|
||||
}
|
||||
lock_basic_unlock(&anchors->lock);
|
||||
return NULL;
|
||||
}
|
||||
|
@ -240,4 +240,12 @@ size_t anchor_list_keytags(struct trust_anchor* ta, uint16_t* list, size_t num);
|
||||
int anchor_has_keytag(struct val_anchors* anchors, uint8_t* name, int namelabs,
|
||||
size_t namelen, uint16_t dclass, uint16_t keytag);
|
||||
|
||||
/**
|
||||
* Find an anchor that is not an insecure point, if any, or there are no
|
||||
* DNSSEC verification anchors if none.
|
||||
* @param anchors: anchor storage
|
||||
* @return trust anchor or NULL. It is locked.
|
||||
*/
|
||||
struct trust_anchor* anchors_find_any_noninsecure(struct val_anchors* anchors);
|
||||
|
||||
#endif /* VALIDATOR_VAL_ANCHOR_H */
|
||||
|
@ -200,6 +200,17 @@ val_init(struct module_env* env, int id)
|
||||
log_err("validator: could not apply configuration settings.");
|
||||
return 0;
|
||||
}
|
||||
if(env->cfg->disable_edns_do) {
|
||||
struct trust_anchor* anchor = anchors_find_any_noninsecure(
|
||||
env->anchors);
|
||||
if(anchor) {
|
||||
char b[LDNS_MAX_DOMAINLEN+2];
|
||||
dname_str(anchor->name, b);
|
||||
log_warn("validator: disable-edns-do is enabled, but there is a trust anchor for '%s'. Since DNSSEC could not work, the disable-edns-do setting is turned off. Continuing without it.", b);
|
||||
lock_basic_unlock(&anchor->lock);
|
||||
env->cfg->disable_edns_do = 0;
|
||||
}
|
||||
}
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user