Skip logging for DNSSEC responses [BZ 14841]

DNSSEC defines a number of response types that one me expect when the
DO bit is set.  We don't process any of them, but since we do allow
setting the DO bit, skip them without logging an error since it is
only a nuisance.

Tested on x86_64.

	[BZ #14841]
	* resolv/gethnamaddr.c (getanswer): Skip logging if
	RES_USE_DNSSEC is set.
	* resolv/nss_dns/dns-host.c (getanswer_r): Likewise.

diff --git a/ChangeLog b/ChangeLog
index 6815223db66ef00855e0eabea92f0c8917fec040..2501fa5cc9576b9572617c5c7398f290d1e346c1 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2015-02-24  Siddhesh Poyarekar  <siddhesh@redhat.com>
+
+       [BZ #14841]
+       * resolv/gethnamaddr.c (getanswer): Skip logging if
+       RES_USE_DNSSEC is set.
+       * resolv/nss_dns/dns-host.c (getanswer_r): Likewise.
+
 2015-02-24  Mike Frysinger  <vapier@gentoo.org>
 
        * sysdeps/unix/sysv/linux/hppa/sysdep.h: Include dl-sysdep.h.

diff --git a/NEWS b/NEWS
index e5d8ee8834ae0c87011cce2c5a53d7ab569788ce..3925acd93f1ef8a06f0b784e4d72e8412aa01d19 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -9,9 +9,9 @@ Version 2.22
 
 * The following bugs are resolved with this release:
 
-  4719, 13064, 14094, 15319, 15467, 15790, 16560, 17269, 17569, 17588,
-  17792, 17836, 17912, 17932, 17944, 17949, 17964, 17965, 17967, 17969,
-  17978, 17987, 17991, 17996, 17998, 17999.
+  4719, 14841, 13064, 14094, 15319, 15467, 15790, 16560, 17269, 17569,
+  17588, 17792, 17836, 17912, 17932, 17944, 17949, 17964, 17965, 17967,
+  17969, 17978, 17987, 17991, 17996, 17998, 17999.
 
 * Character encoding and ctype tables were updated to Unicode 7.0.0, using
   new generator scripts contributed by Pravin Satpute and Mike FABIAN (Red

diff --git a/resolv/gethnamaddr.c b/resolv/gethnamaddr.c
index a861a847cecd2a500b7a0b7dbaff4ff7e7e02426..7fd0e497b137538e4cf91e9bbd82c795115165d9 100644 (file)
--- a/resolv/gethnamaddr.c
+++ b/resolv/gethnamaddr.c
@@ -331,23 +331,18 @@ getanswer (const querybuf *answer, int anslen, const char *qname, int qtype)
                        buflen -= n;
                        continue;
                }
-               if ((type == T_SIG) || (type == T_KEY) || (type == T_NXT)) {
-                       /* We don't support DNSSEC yet.  For now, ignore
-                        * the record and send a low priority message
-                        * to syslog.
-                        */
-                       syslog(LOG_DEBUG|LOG_AUTH,
-              "gethostby*.getanswer: asked for \"%s %s %s\", got type \"%s\"",
-                              qname, p_class(C_IN), p_type(qtype),
-                              p_type(type));
-                       cp += n;
-                       continue;
-               }
                if (type != qtype) {
-                       syslog(LOG_NOTICE|LOG_AUTH,
+                       /* Log a low priority message if we get an unexpected
+                        * record, but skip it if we are using DNSSEC since it
+                        * uses many different types in responses that do not
+                        * match QTYPE.
+                        */
+                       if ((_res.options & RES_USE_DNSSEC) == 0) {
+                               syslog(LOG_NOTICE|LOG_AUTH,
               "gethostby*.getanswer: asked for \"%s %s %s\", got type \"%s\"",
-                              qname, p_class(C_IN), p_type(qtype),
-                              p_type(type));
+                                       qname, p_class(C_IN), p_type(qtype),
+                                       p_type(type));
+                       }
                        cp += n;
                        continue;               /* XXX - had_error++ ? */
                }

diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
index f715ab0b3fa7886afe9b9143d000d7f2ac0540b2..b16b0ddf110907a0086b86612e544d3dc75182b8 100644 (file)
--- a/resolv/nss_dns/dns-host.c
+++ b/resolv/nss_dns/dns-host.c
@@ -820,26 +820,19 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype,
          linebuflen -= n;
          continue;
        }
-      if (__builtin_expect (type == T_SIG, 0)
-         || __builtin_expect (type == T_KEY, 0)
-         || __builtin_expect (type == T_NXT, 0))
-       {
-         /* We don't support DNSSEC yet.  For now, ignore the record
-            and send a low priority message to syslog.  */
-         syslog (LOG_DEBUG | LOG_AUTH,
-              "gethostby*.getanswer: asked for \"%s %s %s\", got type \"%s\"",
-                 qname, p_class (C_IN), p_type(qtype), p_type (type));
-         cp += n;
-         continue;
-       }
 
       if (type == T_A && qtype == T_AAAA && map)
        have_to_map = 1;
       else if (__glibc_unlikely (type != qtype))
        {
-         syslog (LOG_NOTICE | LOG_AUTH,
-              "gethostby*.getanswer: asked for \"%s %s %s\", got type \"%s\"",
-                 qname, p_class (C_IN), p_type (qtype), p_type (type));
+         /* Log a low priority message if we get an unexpected record, but
+            skip it if we are using DNSSEC since it uses many different types
+            in responses that do not match QTYPE.  */
+         if ((_res.options & RES_USE_DNSSEC) == 0)
+           syslog (LOG_NOTICE | LOG_AUTH,
+                   "gethostby*.getanswer: asked for \"%s %s %s\", "
+                   "got type \"%s\"",
+                   qname, p_class (C_IN), p_type (qtype), p_type (type));
          cp += n;
          continue;                     /* XXX - had_error++ ? */
        }