mirror of
https://github.com/NLnetLabs/unbound.git
synced 2024-09-21 06:37:08 +00:00
- Fix #746: Fix unbound sets CD bit on all forwards.
If no trust anchors, it'll not set CD bit when forwarding to another server. If a trust anchor, no CD bit on the first attempt to a forwarder, but CD bit thereafter on repeated attempts to get DNSSEC. git-svn-id: file:///svn/unbound/trunk@3679 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
parent
1cf82595a7
commit
47e2026ca6
@ -1,3 +1,9 @@
|
||||
17 March 2016: Wouter
|
||||
- Fix #746: Fix unbound sets CD bit on all forwards.
|
||||
If no trust anchors, it'll not set CD bit when forwarding to another
|
||||
server. If a trust anchor, no CD bit on the first attempt to a
|
||||
forwarder, but CD bit thereafter on repeated attempts to get DNSSEC.
|
||||
|
||||
16 March 2016: Wouter
|
||||
- Fix ip-transparent for ipv6 on FreeBSD, thanks to Nick Hibma.
|
||||
- Fix ip-transparent for tcp on freebsd.
|
||||
|
@ -590,6 +590,27 @@ iter_dp_is_useless(struct query_info* qinfo, uint16_t qflags,
|
||||
return 1;
|
||||
}
|
||||
|
||||
int
|
||||
iter_indicates_dnssec_fwd(struct module_env* env, struct query_info *qinfo)
|
||||
{
|
||||
struct trust_anchor* a;
|
||||
if(!env || !env->anchors || !qinfo || !qinfo->qname)
|
||||
return 0;
|
||||
/* a trust anchor exists above the name? */
|
||||
if((a=anchors_lookup(env->anchors, qinfo->qname, qinfo->qname_len,
|
||||
qinfo->qclass))) {
|
||||
if(a->numDS == 0 && a->numDNSKEY == 0) {
|
||||
/* insecure trust point */
|
||||
lock_basic_unlock(&a->lock);
|
||||
return 0;
|
||||
}
|
||||
lock_basic_unlock(&a->lock);
|
||||
return 1;
|
||||
}
|
||||
/* no trust anchor above it. */
|
||||
return 0;
|
||||
}
|
||||
|
||||
int
|
||||
iter_indicates_dnssec(struct module_env* env, struct delegpt* dp,
|
||||
struct dns_msg* msg, uint16_t dclass)
|
||||
|
@ -173,6 +173,18 @@ void iter_mark_pside_cycle_targets(struct module_qstate* qstate,
|
||||
int iter_dp_is_useless(struct query_info* qinfo, uint16_t qflags,
|
||||
struct delegpt* dp);
|
||||
|
||||
/**
|
||||
* See if qname has DNSSEC needs in the forwarding case. This is true if
|
||||
* there is a trust anchor above it. Whether there is an insecure delegation
|
||||
* to the data is unknown, but CD-retry is needed.
|
||||
* @param env: environment with anchors.
|
||||
* @param qinfo: query name and class.
|
||||
* @return true if trust anchor above qname, false if no anchor or insecure
|
||||
* point above qname.
|
||||
*/
|
||||
int iter_indicates_dnssec_fwd(struct module_env* env,
|
||||
struct query_info *qinfo);
|
||||
|
||||
/**
|
||||
* See if delegation is expected to have DNSSEC information (RRSIGs) in
|
||||
* its answers, or not. Inspects delegation point (name), trust anchors,
|
||||
|
@ -2090,7 +2090,13 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
outq = (*qstate->env->send_query)(
|
||||
iq->qinfo_out.qname, iq->qinfo_out.qname_len,
|
||||
iq->qinfo_out.qtype, iq->qinfo_out.qclass,
|
||||
iq->chase_flags | (iq->chase_to_rd?BIT_RD:0), EDNS_DO|BIT_CD,
|
||||
iq->chase_flags | (iq->chase_to_rd?BIT_RD:0),
|
||||
/* unset CD if to forwarder(RD set) and not dnssec retry
|
||||
* (blacklist nonempty) and no trust-anchors are configured
|
||||
* above the qname or on the first attempt when dnssec is on */
|
||||
EDNS_DO| ((iq->chase_to_rd||(iq->chase_flags&BIT_RD)!=0)&&
|
||||
!qstate->blacklist&&(!iter_indicates_dnssec_fwd(qstate->env,
|
||||
&iq->qinfo_out)||target->attempts==1)?0:BIT_CD),
|
||||
iq->dnssec_expected, iq->caps_fallback || is_caps_whitelisted(
|
||||
ie, iq), &target->addr, target->addrlen, iq->dp->name,
|
||||
iq->dp->namelen, qstate);
|
||||
|
Loading…
Reference in New Issue
Block a user