test if nameservers with DNSSEC support return "ad"-flagged data

DNSSEC-validating nameservers return an "ad" (Authenticated Data)
flag in the DNS response header. This can be used as a negative
indicator for DNSSEC validation: In case a nameserver does not
return the flag, but failes to look up a domain with an invalid
signature, it does not support DNSSEC validation.

This makes it easier to detect nameservers which do not fully
comply to the RFCs or try to tamper DNS queries.

See bug #11595 (https://bugzilla.ipfire.org/show_bug.cgi?id=11595) for further details.

The second version of this patch avoids unnecessary usage of
grep. Thanks to Michael Tremer for the hint.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound
index a46999992a2b99b91cfe3d7b8b2466614dda3d24..dcb9653ee11b8cddcb752ae07ad92f7747065266 100644 (file)
--- a/src/initscripts/system/unbound
+++ b/src/initscripts/system/unbound
@@ -378,7 +378,12 @@ ns_is_validating() {
        local ns=${1}
        shift
 
-       dig @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL
+       if ! dig @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL; then
+               return 1
+       else
+               # Determine if NS replies with "ad" data flag if DNSSEC enabled
+               dig @${ns} +dnssec SOA ${TEST_DOMAIN} $@ | awk -F: '/\;\;\ flags\:/ { s=1; if (/\ ad/) s=0; exit s }'
+       fi
 }
 
 # Checks if we can retrieve the DNSKEY for this domain.