[ipfire-2.x.git] / src / patches / glibc / glibc-rh1088301.patch

diff --git a/resolv/arpa/nameser.h b/resolv/arpa/nameser.h
index fb8513b..372d5cd 100644
--- a/resolv/arpa/nameser.h
+++ b/resolv/arpa/nameser.h
@@ -293,6 +293,9 @@ typedef enum __ns_type {
 	ns_t_sink = 40,		/*%< Kitchen sink (experimentatl) */
 	ns_t_opt = 41,		/*%< EDNS0 option (meta-RR) */
 	ns_t_apl = 42,		/*%< Address prefix list (RFC3123) */
+	ns_t_rrsig = 46,	/*%< DNSSEC RRset Signature (RFC4034) */
+	ns_t_nsec = 47,		/*%< DNSSEC Next-Secure Record (RFC4034)*/
+	ns_t_dnskey = 48,	/*%< DNSSEC key record (RFC4034) */
 	ns_t_tkey = 249,	/*%< Transaction key */
 	ns_t_tsig = 250,	/*%< Transaction signature. */
 	ns_t_ixfr = 251,	/*%< Incremental zone transfer. */
diff --git a/resolv/arpa/nameser_compat.h b/resolv/arpa/nameser_compat.h
index d59c9e4..284bff7 100644
--- a/resolv/arpa/nameser_compat.h
+++ b/resolv/arpa/nameser_compat.h
@@ -164,6 +164,9 @@ typedef struct {
 #define T_NAPTR		ns_t_naptr
 #define T_A6		ns_t_a6
 #define T_DNAME		ns_t_dname
+#define T_RRSIG		ns_t_rrsig
+#define T_NSEC		ns_t_nsec
+#define T_DNSKEY	ns_t_dnskey
 #define	T_TSIG		ns_t_tsig
 #define	T_IXFR		ns_t_ixfr
 #define T_AXFR		ns_t_axfr
diff --git a/resolv/gethnamaddr.c b/resolv/gethnamaddr.c
index a861a84..ae55fac 100644
--- a/resolv/gethnamaddr.c
+++ b/resolv/gethnamaddr.c
@@ -331,23 +331,36 @@ getanswer (const querybuf *answer, int anslen, const char *qname, int qtype)
 			buflen -= n;
 			continue;
 		}
-		if ((type == T_SIG) || (type == T_KEY) || (type == T_NXT)) {
-			/* We don't support DNSSEC yet.  For now, ignore
-			 * the record and send a low priority message
-			 * to syslog.
-			 */
-			syslog(LOG_DEBUG|LOG_AUTH,
+		if ((type == T_SIG) || (type == T_KEY) || (type == T_NXT)
+		    || (type == T_RRSIG) || (type == T_NSEC)
+		    || (type == T_DNSKEY)) {
+		        /* We don't support DNSSEC responses yet, but we do
+			 * allow setting the DO bit.  If the DNS server sent us
+			 * these records without us asking for it, ignore the
+			 * record and send a low priority message to syslog.
+		         */
+			if ((_res.options & RES_USE_DNSSEC) == 0) {
+				syslog(LOG_DEBUG|LOG_AUTH,
 	       "gethostby*.getanswer: asked for \"%s %s %s\", got type \"%s\"",
-			       qname, p_class(C_IN), p_type(qtype),
-			       p_type(type));
+					qname, p_class(C_IN), p_type(qtype),
+					p_type(type));
+			}
 			cp += n;
 			continue;
 		}
 		if (type != qtype) {
-			syslog(LOG_NOTICE|LOG_AUTH,
+			/* Skip logging if we received a DNAME when we have set
+			 * the DO bit.  DNAME records are a convenient way to
+			 * set up DNSSEC records and such setups can make this
+			 * log message needlessly noisy.
+			 */
+			if (!((_res.options & RES_USE_DNSSEC)
+			      && type == T_DNAME)) {
+				syslog(LOG_NOTICE|LOG_AUTH,
 	       "gethostby*.getanswer: asked for \"%s %s %s\", got type \"%s\"",
-			       qname, p_class(C_IN), p_type(qtype),
-			       p_type(type));
+					qname, p_class(C_IN), p_type(qtype),
+					p_type(type));
+			}
 			cp += n;
 			continue;		/* XXX - had_error++ ? */
 		}
diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
index f715ab0..510d388 100644
--- a/resolv/nss_dns/dns-host.c
+++ b/resolv/nss_dns/dns-host.c
@@ -822,13 +822,20 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype,
 	}
       if (__builtin_expect (type == T_SIG, 0)
 	  || __builtin_expect (type == T_KEY, 0)
-	  || __builtin_expect (type == T_NXT, 0))
+	  || __builtin_expect (type == T_NXT, 0)
+	  || __builtin_expect (type == T_RRSIG, 0)
+	  || __builtin_expect (type == T_NSEC, 0)
+	  || __builtin_expect (type == T_DNSKEY, 0))
 	{
-	  /* We don't support DNSSEC yet.  For now, ignore the record
-	     and send a low priority message to syslog.  */
-	  syslog (LOG_DEBUG | LOG_AUTH,
-	       "gethostby*.getanswer: asked for \"%s %s %s\", got type \"%s\"",
-		  qname, p_class (C_IN), p_type(qtype), p_type (type));
+	  /* We don't support DNSSEC responses yet, but we do allow setting the
+	     DO bit.  If the DNS server sent us these records without us asking
+	     for it, ignore the record and send a low priority message to
+	     syslog.  */
+	  if ((_res.options & RES_USE_DNSSEC) == 0)
+	    syslog (LOG_DEBUG | LOG_AUTH,
+		    "gethostby*.getanswer: asked for \"%s %s %s\", "
+		    "got type \"%s\"",
+		    qname, p_class (C_IN), p_type(qtype), p_type (type));
 	  cp += n;
 	  continue;
 	}
@@ -837,9 +844,14 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype,
 	have_to_map = 1;
       else if (__builtin_expect (type != qtype, 0))
 	{
-	  syslog (LOG_NOTICE | LOG_AUTH,
-	       "gethostby*.getanswer: asked for \"%s %s %s\", got type \"%s\"",
-		  qname, p_class (C_IN), p_type (qtype), p_type (type));
+	  /* Skip logging if we received a DNAME when we have set the DO bit.
+	     DNAME records are a convenient way to set up DNSSEC records and
+	     such setups can make this log message needlessly noisy.  */
+	  if (!((_res.options & RES_USE_DNSSEC) && type == T_DNAME))
+	    syslog (LOG_NOTICE | LOG_AUTH,
+		    "gethostby*.getanswer: asked for \"%s %s %s\", "
+		    "got type \"%s\"",
+		    qname, p_class (C_IN), p_type (qtype), p_type (type));
 	  cp += n;
 	  continue;			/* XXX - had_error++ ? */
 	}
diff --git a/resolv/res_debug.c b/resolv/res_debug.c
index 7843439..4a49629 100644
--- a/resolv/res_debug.c
+++ b/resolv/res_debug.c
@@ -450,6 +450,8 @@ const struct res_sym __p_type_syms[] = {
 	{ns_t_kx,	"KX",		"Key Exchange"},
 	{ns_t_cert,	"CERT",		"Certificate"},
 	{ns_t_any,	"ANY",		"\"any\""},
+	/* TODO Add RRSIG, NSEC and DNSKEY once we actually do something with
+	   them.  */
 	{0, 		NULL,		NULL}
 };
 libresolv_hidden_data_def (__p_type_syms)
Commit	Line	Data
bb330e25 AF	1	diff --git a/resolv/arpa/nameser.h b/resolv/arpa/nameser.h
	2	index fb8513b..372d5cd 100644
	3	--- a/resolv/arpa/nameser.h
	4	+++ b/resolv/arpa/nameser.h
	5	@@ -293,6 +293,9 @@ typedef enum __ns_type {
	6	ns_t_sink = 40, /%< Kitchen sink (experimentatl) /
	7	ns_t_opt = 41, /%< EDNS0 option (meta-RR) /
	8	ns_t_apl = 42, /%< Address prefix list (RFC3123) /
	9	+ ns_t_rrsig = 46, /%< DNSSEC RRset Signature (RFC4034) /
	10	+ ns_t_nsec = 47, /%< DNSSEC Next-Secure Record (RFC4034)/
	11	+ ns_t_dnskey = 48, /%< DNSSEC key record (RFC4034) /
	12	ns_t_tkey = 249, /%< Transaction key /
	13	ns_t_tsig = 250, /%< Transaction signature. /
	14	ns_t_ixfr = 251, /%< Incremental zone transfer. /
	15	diff --git a/resolv/arpa/nameser_compat.h b/resolv/arpa/nameser_compat.h
	16	index d59c9e4..284bff7 100644
	17	--- a/resolv/arpa/nameser_compat.h
	18	+++ b/resolv/arpa/nameser_compat.h
	19	@@ -164,6 +164,9 @@ typedef struct {
	20	#define T_NAPTR ns_t_naptr
	21	#define T_A6 ns_t_a6
	22	#define T_DNAME ns_t_dname
	23	+#define T_RRSIG ns_t_rrsig
	24	+#define T_NSEC ns_t_nsec
	25	+#define T_DNSKEY ns_t_dnskey
	26	#define T_TSIG ns_t_tsig
	27	#define T_IXFR ns_t_ixfr
	28	#define T_AXFR ns_t_axfr
	29	diff --git a/resolv/gethnamaddr.c b/resolv/gethnamaddr.c
	30	index a861a84..ae55fac 100644
	31	--- a/resolv/gethnamaddr.c
	32	+++ b/resolv/gethnamaddr.c
	33	@@ -331,23 +331,36 @@ getanswer (const querybuf answer, int anslen, const char qname, int qtype)
	34	buflen -= n;
	35	continue;
	36	}
	37	- if ((type == T_SIG) \|\| (type == T_KEY) \|\| (type == T_NXT)) {
	38	- /* We don't support DNSSEC yet. For now, ignore
	39	- * the record and send a low priority message
	40	- * to syslog.
	41	- */
	42	- syslog(LOG_DEBUG\|LOG_AUTH,
	43	+ if ((type == T_SIG) \|\| (type == T_KEY) \|\| (type == T_NXT)
	44	+ \|\| (type == T_RRSIG) \|\| (type == T_NSEC)
	45	+ \|\| (type == T_DNSKEY)) {
	46	+ /* We don't support DNSSEC responses yet, but we do
	47	+ * allow setting the DO bit. If the DNS server sent us
	48	+ * these records without us asking for it, ignore the
	49	+ * record and send a low priority message to syslog.
	50	+ */
	51	+ if ((_res.options & RES_USE_DNSSEC) == 0) {
	52	+ syslog(LOG_DEBUG\|LOG_AUTH,
	53	"gethostby*.getanswer: asked for \"%s %s %s\", got type \"%s\"",
	54	- qname, p_class(C_IN), p_type(qtype),
	55	- p_type(type));
	56	+ qname, p_class(C_IN), p_type(qtype),
	57	+ p_type(type));
	58	+ }
	59	cp += n;
	60	continue;
	61	}
	62	if (type != qtype) {
	63	- syslog(LOG_NOTICE\|LOG_AUTH,
	64	+ /* Skip logging if we received a DNAME when we have set
65	+ * the DO bit. DNAME records are a convenient way to
66	+ * set up DNSSEC records and such setups can make this
67	+ * log message needlessly noisy.
68	+ */
69	+ if (!((_res.options & RES_USE_DNSSEC)
70	+ && type == T_DNAME)) {
71	+ syslog(LOG_NOTICE\|LOG_AUTH,
72	"gethostby*.getanswer: asked for \"%s %s %s\", got type \"%s\"",
73	- qname, p_class(C_IN), p_type(qtype),
74	- p_type(type));
75	+ qname, p_class(C_IN), p_type(qtype),
76	+ p_type(type));
77	+ }
78	cp += n;
79	continue; /* XXX - had_error++ ? */
80	}
81	diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
82	index f715ab0..510d388 100644
83	--- a/resolv/nss_dns/dns-host.c
84	+++ b/resolv/nss_dns/dns-host.c
85	@@ -822,13 +822,20 @@ getanswer_r (const querybuf answer, int anslen, const char qname, int qtype,
86	}
87	if (__builtin_expect (type == T_SIG, 0)
88	\|\| __builtin_expect (type == T_KEY, 0)
89	- \|\| __builtin_expect (type == T_NXT, 0))
90	+ \|\| __builtin_expect (type == T_NXT, 0)
91	+ \|\| __builtin_expect (type == T_RRSIG, 0)
92	+ \|\| __builtin_expect (type == T_NSEC, 0)
93	+ \|\| __builtin_expect (type == T_DNSKEY, 0))
94	{
95	- /* We don't support DNSSEC yet. For now, ignore the record
96	- and send a low priority message to syslog. */
97	- syslog (LOG_DEBUG \| LOG_AUTH,
98	- "gethostby*.getanswer: asked for \"%s %s %s\", got type \"%s\"",
99	- qname, p_class (C_IN), p_type(qtype), p_type (type));
100	+ /* We don't support DNSSEC responses yet, but we do allow setting the
101	+ DO bit. If the DNS server sent us these records without us asking
102	+ for it, ignore the record and send a low priority message to
103	+ syslog. */
104	+ if ((_res.options & RES_USE_DNSSEC) == 0)
105	+ syslog (LOG_DEBUG \| LOG_AUTH,
106	+ "gethostby*.getanswer: asked for \"%s %s %s\", "
107	+ "got type \"%s\"",
108	+ qname, p_class (C_IN), p_type(qtype), p_type (type));
109	cp += n;
110	continue;
111	}
112	@@ -837,9 +844,14 @@ getanswer_r (const querybuf answer, int anslen, const char qname, int qtype,
113	have_to_map = 1;
114	else if (__builtin_expect (type != qtype, 0))
115	{
116	- syslog (LOG_NOTICE \| LOG_AUTH,
117	- "gethostby*.getanswer: asked for \"%s %s %s\", got type \"%s\"",
118	- qname, p_class (C_IN), p_type (qtype), p_type (type));
119	+ /* Skip logging if we received a DNAME when we have set the DO bit.
120	+ DNAME records are a convenient way to set up DNSSEC records and
121	+ such setups can make this log message needlessly noisy. */
122	+ if (!((_res.options & RES_USE_DNSSEC) && type == T_DNAME))
123	+ syslog (LOG_NOTICE \| LOG_AUTH,
124	+ "gethostby*.getanswer: asked for \"%s %s %s\", "
125	+ "got type \"%s\"",
126	+ qname, p_class (C_IN), p_type (qtype), p_type (type));
127	cp += n;
128	continue; /* XXX - had_error++ ? */
129	}
130	diff --git a/resolv/res_debug.c b/resolv/res_debug.c
131	index 7843439..4a49629 100644
132	--- a/resolv/res_debug.c
133	+++ b/resolv/res_debug.c
134	@@ -450,6 +450,8 @@ const struct res_sym __p_type_syms[] = {
135	{ns_t_kx, "KX", "Key Exchange"},
136	{ns_t_cert, "CERT", "Certificate"},
137	{ns_t_any, "ANY", "\"any\""},
138	+ /* TODO Add RRSIG, NSEC and DNSKEY once we actually do something with
139	+ them. */
140	{0, NULL, NULL}
141	};
142	libresolv_hidden_data_def (__p_type_syms)