- disable-edns-do, queriers receive no EDNS in response if the

  disable-edns-do option is enabled and they set the DO flag. And unit test
  for that.

diff --git a/daemon/worker.c b/daemon/worker.c
index 2433f97dd09fc4fe49748c52dd85ca8c7767ec3d..8ae05eb67e664d2822a9f7aa0a8c32e1e16deb70 100644 (file)
--- a/daemon/worker.c
+++ b/daemon/worker.c
@@ -543,6 +543,8 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,
        edns->udp_size = EDNS_ADVERTISED_SIZE;
        edns->ext_rcode = 0;
        edns->bits &= EDNS_DO;
+       if(worker->env.cfg->disable_edns_do && (edns->bits & EDNS_DO))
+               edns->edns_present = 0;
        if(!inplace_cb_reply_cache_call(&worker->env, qinfo, NULL, msg->rep,
                (int)(flags&LDNS_RCODE_MASK), edns, repinfo, worker->scratchpad,
                worker->env.now_tv))
@@ -703,6 +705,8 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
                edns->udp_size = EDNS_ADVERTISED_SIZE;
                edns->ext_rcode = 0;
                edns->bits &= EDNS_DO;
+               if(worker->env.cfg->disable_edns_do && (edns->bits & EDNS_DO))
+                       edns->edns_present = 0;
                if(!inplace_cb_reply_servfail_call(&worker->env, qinfo, NULL, rep,
                        LDNS_RCODE_SERVFAIL, edns, repinfo, worker->scratchpad,
                        worker->env.now_tv))
@@ -743,6 +747,8 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
        edns->udp_size = EDNS_ADVERTISED_SIZE;
        edns->ext_rcode = 0;
        edns->bits &= EDNS_DO;
+       if(worker->env.cfg->disable_edns_do && (edns->bits & EDNS_DO))
+               edns->edns_present = 0;
        *alias_rrset = NULL; /* avoid confusion if caller set it to non-NULL */
        if((worker->daemon->use_response_ip || worker->daemon->use_rpz) &&
                !partial_rep && !apply_respip_action(worker, qinfo, cinfo, rep,

diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index bbc6ddae57f29d63902ffce508210ddae6e3b7b0..b56fe20bb2d25b68b3b4bea096985a80526c096d 100644 (file)
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -1307,6 +1307,8 @@ Disable the EDNS DO flag in upstream requests. This can be helpful for
 devices that cannot handle DNSSEC information. But it should not be enabled
 otherwise, because that would stop DNSSEC validation. The DNSSEC validation
 would not work for Unbound itself, and also not for downstream users.
+When the option is enabled, queriers that set the DO flag receive no EDNS
+record in the response to indicate the lack of support to them.
 Default is no.
 .TP
 .B serve\-expired: \fI<yes or no>

diff --git a/services/mesh.c b/services/mesh.c
index be968e42234f597eaf5b18f255a0df006526283d..509bee36a2c44cf0ee25518edc7e682e4dce4919 100644 (file)
--- a/services/mesh.c
+++ b/services/mesh.c
@@ -1197,6 +1197,8 @@ mesh_do_callback(struct mesh_state* m, int rcode, struct reply_info* rep,
                r->edns.udp_size = EDNS_ADVERTISED_SIZE;
                r->edns.ext_rcode = 0;
                r->edns.bits &= EDNS_DO;
+               if(m->s.env->cfg->disable_edns_do && (r->edns.bits&EDNS_DO))
+                       r->edns.edns_present = 0;
 
                if(!inplace_cb_reply_call(m->s.env, &m->s.qinfo, &m->s, rep,
                        LDNS_RCODE_NOERROR, &r->edns, NULL, m->s.region, start_time) ||
@@ -1372,6 +1374,8 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
                r->edns.udp_size = EDNS_ADVERTISED_SIZE;
                r->edns.ext_rcode = 0;
                r->edns.bits &= EDNS_DO;
+               if(m->s.env->cfg->disable_edns_do && (r->edns.bits&EDNS_DO))
+                       r->edns.edns_present = 0;
                m->s.qinfo.qname = r->qname;
                m->s.qinfo.local_alias = r->local_alias;
 

diff --git a/testdata/disable_edns_do.rpl b/testdata/disable_edns_do.rpl
index 86b0c32a9d94c83ad7543fefc634993374571d68..82a16da062f15d433ae0ca28ff0781f6c647d483 100644 (file)
--- a/testdata/disable_edns_do.rpl
+++ b/testdata/disable_edns_do.rpl
@@ -150,7 +150,7 @@ ENTRY_END
 STEP 10 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
-REPLY QR RD RA DO NOERROR
+REPLY QR RD RA NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER

diff --git a/util/data/msgencode.c b/util/data/msgencode.c
index a170eb7b8a67b052721411abdb3bac055a2f8d46..80ae33a386617df1cda76e19706b2838c6726112 100644 (file)
--- a/util/data/msgencode.c
+++ b/util/data/msgencode.c
@@ -1012,8 +1012,10 @@ reply_info_answer_encode(struct query_info* qinf, struct reply_info* rep,
        ede_size = calc_ede_option_size(edns, &ede_txt_size);
        if(sldns_buffer_capacity(pkt) < udpsize)
                udpsize = sldns_buffer_capacity(pkt);
+       if(!edns || !edns->edns_present) {
+               attach_edns = 0;
        /* EDEs are optional, try to fit anything else before them */
-       if(udpsize < LDNS_HEADER_SIZE + edns_field_size - ede_size) {
+       } else if(udpsize < LDNS_HEADER_SIZE + edns_field_size - ede_size) {
                /* packet too small to contain edns, omit it. */
                attach_edns = 0;
        } else {