From: W.C.A. Wijngaards Date: Wed, 4 Oct 2023 11:54:05 +0000 (+0200) Subject: - disable-edns-do, queriers receive no EDNS in response if the X-Git-Tag: release-1.19.0rc1~29^2~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=39df4f09234448219c10870180376a0f88ae0e69;p=thirdparty%2Funbound.git - disable-edns-do, queriers receive no EDNS in response if the disable-edns-do option is enabled and they set the DO flag. And unit test for that. --- diff --git a/daemon/worker.c b/daemon/worker.c index 2433f97dd..8ae05eb67 100644 --- a/daemon/worker.c +++ b/daemon/worker.c @@ -543,6 +543,8 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo, edns->udp_size = EDNS_ADVERTISED_SIZE; edns->ext_rcode = 0; edns->bits &= EDNS_DO; + if(worker->env.cfg->disable_edns_do && (edns->bits & EDNS_DO)) + edns->edns_present = 0; if(!inplace_cb_reply_cache_call(&worker->env, qinfo, NULL, msg->rep, (int)(flags&LDNS_RCODE_MASK), edns, repinfo, worker->scratchpad, worker->env.now_tv)) @@ -703,6 +705,8 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo, edns->udp_size = EDNS_ADVERTISED_SIZE; edns->ext_rcode = 0; edns->bits &= EDNS_DO; + if(worker->env.cfg->disable_edns_do && (edns->bits & EDNS_DO)) + edns->edns_present = 0; if(!inplace_cb_reply_servfail_call(&worker->env, qinfo, NULL, rep, LDNS_RCODE_SERVFAIL, edns, repinfo, worker->scratchpad, worker->env.now_tv)) @@ -743,6 +747,8 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo, edns->udp_size = EDNS_ADVERTISED_SIZE; edns->ext_rcode = 0; edns->bits &= EDNS_DO; + if(worker->env.cfg->disable_edns_do && (edns->bits & EDNS_DO)) + edns->edns_present = 0; *alias_rrset = NULL; /* avoid confusion if caller set it to non-NULL */ if((worker->daemon->use_response_ip || worker->daemon->use_rpz) && !partial_rep && !apply_respip_action(worker, qinfo, cinfo, rep, diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index bbc6ddae5..b56fe20bb 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -1307,6 +1307,8 @@ Disable the EDNS DO flag in upstream requests. This can be helpful for devices that cannot handle DNSSEC information. But it should not be enabled otherwise, because that would stop DNSSEC validation. The DNSSEC validation would not work for Unbound itself, and also not for downstream users. +When the option is enabled, queriers that set the DO flag receive no EDNS +record in the response to indicate the lack of support to them. Default is no. .TP .B serve\-expired: \fI diff --git a/services/mesh.c b/services/mesh.c index be968e422..509bee36a 100644 --- a/services/mesh.c +++ b/services/mesh.c @@ -1197,6 +1197,8 @@ mesh_do_callback(struct mesh_state* m, int rcode, struct reply_info* rep, r->edns.udp_size = EDNS_ADVERTISED_SIZE; r->edns.ext_rcode = 0; r->edns.bits &= EDNS_DO; + if(m->s.env->cfg->disable_edns_do && (r->edns.bits&EDNS_DO)) + r->edns.edns_present = 0; if(!inplace_cb_reply_call(m->s.env, &m->s.qinfo, &m->s, rep, LDNS_RCODE_NOERROR, &r->edns, NULL, m->s.region, start_time) || @@ -1372,6 +1374,8 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep, r->edns.udp_size = EDNS_ADVERTISED_SIZE; r->edns.ext_rcode = 0; r->edns.bits &= EDNS_DO; + if(m->s.env->cfg->disable_edns_do && (r->edns.bits&EDNS_DO)) + r->edns.edns_present = 0; m->s.qinfo.qname = r->qname; m->s.qinfo.local_alias = r->local_alias; diff --git a/testdata/disable_edns_do.rpl b/testdata/disable_edns_do.rpl index 86b0c32a9..82a16da06 100644 --- a/testdata/disable_edns_do.rpl +++ b/testdata/disable_edns_do.rpl @@ -150,7 +150,7 @@ ENTRY_END STEP 10 CHECK_ANSWER ENTRY_BEGIN MATCH all -REPLY QR RD RA DO NOERROR +REPLY QR RD RA NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER diff --git a/util/data/msgencode.c b/util/data/msgencode.c index a170eb7b8..80ae33a38 100644 --- a/util/data/msgencode.c +++ b/util/data/msgencode.c @@ -1012,8 +1012,10 @@ reply_info_answer_encode(struct query_info* qinf, struct reply_info* rep, ede_size = calc_ede_option_size(edns, &ede_txt_size); if(sldns_buffer_capacity(pkt) < udpsize) udpsize = sldns_buffer_capacity(pkt); + if(!edns || !edns->edns_present) { + attach_edns = 0; /* EDEs are optional, try to fit anything else before them */ - if(udpsize < LDNS_HEADER_SIZE + edns_field_size - ede_size) { + } else if(udpsize < LDNS_HEADER_SIZE + edns_field_size - ede_size) { /* packet too small to contain edns, omit it. */ attach_edns = 0; } else {