[ipfire-2.x.git] / src / patches / dnsmasq / 0075-Auth-correct-replies-to-NS-and-SOA-in-.arpa-zones.patch

From 78c6184752dce27849e36cce4360abc27b8d76d2 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Thu, 16 Apr 2015 15:05:30 +0100
Subject: [PATCH 75/98] Auth: correct replies to NS and SOA in .arpa zones.

---
 CHANGELOG  |  8 ++++++++
 src/auth.c | 51 ++++++++++++++++++++++++++++++---------------------
 2 files changed, 38 insertions(+), 21 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index f2142c71cbdc..0619788e9cef 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -94,6 +94,14 @@ version 2.73
 	    in the auth-zone declaration. Thanks to Johnny S. Lee
 	    for the bugreport and initial patch.
 
+	    Fix authoritative DNS code to correctly reply to NS 
+	    and SOA queries for .arpa zones for which we are 
+	    declared authoritative by means of a subnet in auth-zone.
+	    Previously we provided correct answers to PTR queries
+	    in such zones (including NS and SOA) but not direct
+	    NS and SOA queries. Thanks to Johnny S. Lee for 
+	    pointing out the problem.
+
 	
 version 2.72
             Add ra-advrouter mode, for RFC-3775 mobile IPv6 support.
diff --git a/src/auth.c b/src/auth.c
index 4a5c39fc5c07..2b0b7d6b052d 100644
--- a/src/auth.c
+++ b/src/auth.c
@@ -131,24 +131,27 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	  continue;
 	}
 
-      if (qtype == T_PTR)
+      if ((qtype == T_PTR || qtype == T_SOA || qtype == T_NS) &&
+	  (flag = in_arpa_name_2_addr(name, &addr)) &&
+	  !local_query)
 	{
-	  if (!(flag = in_arpa_name_2_addr(name, &addr)))
-	    continue;
-
-	  if (!local_query)
+	  for (zone = daemon->auth_zones; zone; zone = zone->next)
+	    if ((subnet = find_subnet(zone, flag, &addr)))
+	      break;
+	  
+	  if (!zone)
 	    {
-	      for (zone = daemon->auth_zones; zone; zone = zone->next)
-		if ((subnet = find_subnet(zone, flag, &addr)))
-		  break;
-			
-	      if (!zone)
-		{
-		  auth = 0;
-		  continue;
-		}
+	      auth = 0;
+	      continue;
 	    }
+	  else if (qtype == T_SOA)
+	    soa = 1, found = 1;
+	  else if (qtype == T_NS)
+	    ns = 1, found = 1;
+	}
 
+      if (qtype == T_PTR && flag)
+	{
 	  intr = NULL;
 
 	  if (flag == F_IPV4)
@@ -243,14 +246,20 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	}
       
     cname_restart:
-      for (zone = daemon->auth_zones; zone; zone = zone->next)
-	if (in_zone(zone, name, &cut))
-	  break;
-      
-      if (!zone)
+      if (found)
+	/* NS and SOA .arpa requests have set found above. */
+	cut = NULL;
+      else
 	{
-	  auth = 0;
-	  continue;
+	  for (zone = daemon->auth_zones; zone; zone = zone->next)
+	    if (in_zone(zone, name, &cut))
+	      break;
+	  
+	  if (!zone)
+	    {
+	      auth = 0;
+	      continue;
+	    }
 	}
 
       for (rec = daemon->mxnames; rec; rec = rec->next)
-- 
2.1.0
Commit	Line	Data
d54a2ce4 MT	1	From 78c6184752dce27849e36cce4360abc27b8d76d2 Mon Sep 17 00:00:00 2001
	2	From: Simon Kelley <simon@thekelleys.org.uk>
	3	Date: Thu, 16 Apr 2015 15:05:30 +0100
888c41de	4	Subject: [PATCH 75/98] Auth: correct replies to NS and SOA in .arpa zones.
d54a2ce4 MT	5
	6	---
	7	CHANGELOG \| 8 ++++++++
	8	src/auth.c \| 51 ++++++++++++++++++++++++++++++---------------------
	9	2 files changed, 38 insertions(+), 21 deletions(-)
	10
	11	diff --git a/CHANGELOG b/CHANGELOG
	12	index f2142c71cbdc..0619788e9cef 100644
	13	--- a/CHANGELOG
	14	+++ b/CHANGELOG
	15	@@ -94,6 +94,14 @@ version 2.73
	16	in the auth-zone declaration. Thanks to Johnny S. Lee
	17	for the bugreport and initial patch.
	18
	19	+ Fix authoritative DNS code to correctly reply to NS
	20	+ and SOA queries for .arpa zones for which we are
	21	+ declared authoritative by means of a subnet in auth-zone.
	22	+ Previously we provided correct answers to PTR queries
	23	+ in such zones (including NS and SOA) but not direct
	24	+ NS and SOA queries. Thanks to Johnny S. Lee for
	25	+ pointing out the problem.
	26	+
	27
	28	version 2.72
	29	Add ra-advrouter mode, for RFC-3775 mobile IPv6 support.
	30	diff --git a/src/auth.c b/src/auth.c
	31	index 4a5c39fc5c07..2b0b7d6b052d 100644
	32	--- a/src/auth.c
	33	+++ b/src/auth.c
	34	@@ -131,24 +131,27 @@ size_t answer_auth(struct dns_header header, char limit, size_t qlen, time_t n
	35	continue;
	36	}
	37
	38	- if (qtype == T_PTR)
	39	+ if ((qtype == T_PTR \|\| qtype == T_SOA \|\| qtype == T_NS) &&
	40	+ (flag = in_arpa_name_2_addr(name, &addr)) &&
	41	+ !local_query)
	42	{
	43	- if (!(flag = in_arpa_name_2_addr(name, &addr)))
	44	- continue;
	45	-
	46	- if (!local_query)
	47	+ for (zone = daemon->auth_zones; zone; zone = zone->next)
	48	+ if ((subnet = find_subnet(zone, flag, &addr)))
	49	+ break;
	50	+
	51	+ if (!zone)
	52	{
	53	- for (zone = daemon->auth_zones; zone; zone = zone->next)
	54	- if ((subnet = find_subnet(zone, flag, &addr)))
	55	- break;
	56	-
	57	- if (!zone)
	58	- {
	59	- auth = 0;
	60	- continue;
	61	- }
	62	+ auth = 0;
	63	+ continue;
	64	}
	65	+ else if (qtype == T_SOA)
	66	+ soa = 1, found = 1;
	67	+ else if (qtype == T_NS)
	68	+ ns = 1, found = 1;
69	+ }
70
71	+ if (qtype == T_PTR && flag)
72	+ {
73	intr = NULL;
74
75	if (flag == F_IPV4)
76	@@ -243,14 +246,20 @@ size_t answer_auth(struct dns_header header, char limit, size_t qlen, time_t n
77	}
78
79	cname_restart:
80	- for (zone = daemon->auth_zones; zone; zone = zone->next)
81	- if (in_zone(zone, name, &cut))
82	- break;
83	-
84	- if (!zone)
85	+ if (found)
86	+ /* NS and SOA .arpa requests have set found above. */
87	+ cut = NULL;
88	+ else
89	{
90	- auth = 0;
91	- continue;
92	+ for (zone = daemon->auth_zones; zone; zone = zone->next)
93	+ if (in_zone(zone, name, &cut))
94	+ break;
95	+
96	+ if (!zone)
97	+ {
98	+ auth = 0;
99	+ continue;
100	+ }
101	}
102
103	for (rec = daemon->mxnames; rec; rec = rec->next)
104	--
105	2.1.0
106