]>
Commit | Line | Data |
---|---|---|
bb330e25 AF |
1 | diff --git a/resolv/arpa/nameser.h b/resolv/arpa/nameser.h |
2 | index fb8513b..372d5cd 100644 | |
3 | --- a/resolv/arpa/nameser.h | |
4 | +++ b/resolv/arpa/nameser.h | |
5 | @@ -293,6 +293,9 @@ typedef enum __ns_type { | |
6 | ns_t_sink = 40, /*%< Kitchen sink (experimentatl) */ | |
7 | ns_t_opt = 41, /*%< EDNS0 option (meta-RR) */ | |
8 | ns_t_apl = 42, /*%< Address prefix list (RFC3123) */ | |
9 | + ns_t_rrsig = 46, /*%< DNSSEC RRset Signature (RFC4034) */ | |
10 | + ns_t_nsec = 47, /*%< DNSSEC Next-Secure Record (RFC4034)*/ | |
11 | + ns_t_dnskey = 48, /*%< DNSSEC key record (RFC4034) */ | |
12 | ns_t_tkey = 249, /*%< Transaction key */ | |
13 | ns_t_tsig = 250, /*%< Transaction signature. */ | |
14 | ns_t_ixfr = 251, /*%< Incremental zone transfer. */ | |
15 | diff --git a/resolv/arpa/nameser_compat.h b/resolv/arpa/nameser_compat.h | |
16 | index d59c9e4..284bff7 100644 | |
17 | --- a/resolv/arpa/nameser_compat.h | |
18 | +++ b/resolv/arpa/nameser_compat.h | |
19 | @@ -164,6 +164,9 @@ typedef struct { | |
20 | #define T_NAPTR ns_t_naptr | |
21 | #define T_A6 ns_t_a6 | |
22 | #define T_DNAME ns_t_dname | |
23 | +#define T_RRSIG ns_t_rrsig | |
24 | +#define T_NSEC ns_t_nsec | |
25 | +#define T_DNSKEY ns_t_dnskey | |
26 | #define T_TSIG ns_t_tsig | |
27 | #define T_IXFR ns_t_ixfr | |
28 | #define T_AXFR ns_t_axfr | |
29 | diff --git a/resolv/gethnamaddr.c b/resolv/gethnamaddr.c | |
30 | index a861a84..ae55fac 100644 | |
31 | --- a/resolv/gethnamaddr.c | |
32 | +++ b/resolv/gethnamaddr.c | |
33 | @@ -331,23 +331,36 @@ getanswer (const querybuf *answer, int anslen, const char *qname, int qtype) | |
34 | buflen -= n; | |
35 | continue; | |
36 | } | |
37 | - if ((type == T_SIG) || (type == T_KEY) || (type == T_NXT)) { | |
38 | - /* We don't support DNSSEC yet. For now, ignore | |
39 | - * the record and send a low priority message | |
40 | - * to syslog. | |
41 | - */ | |
42 | - syslog(LOG_DEBUG|LOG_AUTH, | |
43 | + if ((type == T_SIG) || (type == T_KEY) || (type == T_NXT) | |
44 | + || (type == T_RRSIG) || (type == T_NSEC) | |
45 | + || (type == T_DNSKEY)) { | |
46 | + /* We don't support DNSSEC responses yet, but we do | |
47 | + * allow setting the DO bit. If the DNS server sent us | |
48 | + * these records without us asking for it, ignore the | |
49 | + * record and send a low priority message to syslog. | |
50 | + */ | |
51 | + if ((_res.options & RES_USE_DNSSEC) == 0) { | |
52 | + syslog(LOG_DEBUG|LOG_AUTH, | |
53 | "gethostby*.getanswer: asked for \"%s %s %s\", got type \"%s\"", | |
54 | - qname, p_class(C_IN), p_type(qtype), | |
55 | - p_type(type)); | |
56 | + qname, p_class(C_IN), p_type(qtype), | |
57 | + p_type(type)); | |
58 | + } | |
59 | cp += n; | |
60 | continue; | |
61 | } | |
62 | if (type != qtype) { | |
63 | - syslog(LOG_NOTICE|LOG_AUTH, | |
64 | + /* Skip logging if we received a DNAME when we have set | |
65 | + * the DO bit. DNAME records are a convenient way to | |
66 | + * set up DNSSEC records and such setups can make this | |
67 | + * log message needlessly noisy. | |
68 | + */ | |
69 | + if (!((_res.options & RES_USE_DNSSEC) | |
70 | + && type == T_DNAME)) { | |
71 | + syslog(LOG_NOTICE|LOG_AUTH, | |
72 | "gethostby*.getanswer: asked for \"%s %s %s\", got type \"%s\"", | |
73 | - qname, p_class(C_IN), p_type(qtype), | |
74 | - p_type(type)); | |
75 | + qname, p_class(C_IN), p_type(qtype), | |
76 | + p_type(type)); | |
77 | + } | |
78 | cp += n; | |
79 | continue; /* XXX - had_error++ ? */ | |
80 | } | |
81 | diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c | |
82 | index f715ab0..510d388 100644 | |
83 | --- a/resolv/nss_dns/dns-host.c | |
84 | +++ b/resolv/nss_dns/dns-host.c | |
85 | @@ -822,13 +822,20 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype, | |
86 | } | |
87 | if (__builtin_expect (type == T_SIG, 0) | |
88 | || __builtin_expect (type == T_KEY, 0) | |
89 | - || __builtin_expect (type == T_NXT, 0)) | |
90 | + || __builtin_expect (type == T_NXT, 0) | |
91 | + || __builtin_expect (type == T_RRSIG, 0) | |
92 | + || __builtin_expect (type == T_NSEC, 0) | |
93 | + || __builtin_expect (type == T_DNSKEY, 0)) | |
94 | { | |
95 | - /* We don't support DNSSEC yet. For now, ignore the record | |
96 | - and send a low priority message to syslog. */ | |
97 | - syslog (LOG_DEBUG | LOG_AUTH, | |
98 | - "gethostby*.getanswer: asked for \"%s %s %s\", got type \"%s\"", | |
99 | - qname, p_class (C_IN), p_type(qtype), p_type (type)); | |
100 | + /* We don't support DNSSEC responses yet, but we do allow setting the | |
101 | + DO bit. If the DNS server sent us these records without us asking | |
102 | + for it, ignore the record and send a low priority message to | |
103 | + syslog. */ | |
104 | + if ((_res.options & RES_USE_DNSSEC) == 0) | |
105 | + syslog (LOG_DEBUG | LOG_AUTH, | |
106 | + "gethostby*.getanswer: asked for \"%s %s %s\", " | |
107 | + "got type \"%s\"", | |
108 | + qname, p_class (C_IN), p_type(qtype), p_type (type)); | |
109 | cp += n; | |
110 | continue; | |
111 | } | |
112 | @@ -837,9 +844,14 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype, | |
113 | have_to_map = 1; | |
114 | else if (__builtin_expect (type != qtype, 0)) | |
115 | { | |
116 | - syslog (LOG_NOTICE | LOG_AUTH, | |
117 | - "gethostby*.getanswer: asked for \"%s %s %s\", got type \"%s\"", | |
118 | - qname, p_class (C_IN), p_type (qtype), p_type (type)); | |
119 | + /* Skip logging if we received a DNAME when we have set the DO bit. | |
120 | + DNAME records are a convenient way to set up DNSSEC records and | |
121 | + such setups can make this log message needlessly noisy. */ | |
122 | + if (!((_res.options & RES_USE_DNSSEC) && type == T_DNAME)) | |
123 | + syslog (LOG_NOTICE | LOG_AUTH, | |
124 | + "gethostby*.getanswer: asked for \"%s %s %s\", " | |
125 | + "got type \"%s\"", | |
126 | + qname, p_class (C_IN), p_type (qtype), p_type (type)); | |
127 | cp += n; | |
128 | continue; /* XXX - had_error++ ? */ | |
129 | } | |
130 | diff --git a/resolv/res_debug.c b/resolv/res_debug.c | |
131 | index 7843439..4a49629 100644 | |
132 | --- a/resolv/res_debug.c | |
133 | +++ b/resolv/res_debug.c | |
134 | @@ -450,6 +450,8 @@ const struct res_sym __p_type_syms[] = { | |
135 | {ns_t_kx, "KX", "Key Exchange"}, | |
136 | {ns_t_cert, "CERT", "Certificate"}, | |
137 | {ns_t_any, "ANY", "\"any\""}, | |
138 | + /* TODO Add RRSIG, NSEC and DNSKEY once we actually do something with | |
139 | + them. */ | |
140 | {0, NULL, NULL} | |
141 | }; | |
142 | libresolv_hidden_data_def (__p_type_syms) |