From: Tom Carpay <tom@nlnetlabs.nl>
Date: Mon, 6 Sep 2021 13:13:49 +0000 (+0000)
Subject: add ede to always_refuse and always_null
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7079f0b5aa12f0845630e57da67ed49c1d31a80e;p=thirdparty%2Funbound.git

add ede to always_refuse and always_null
---

diff --git a/services/localzone.c b/services/localzone.c
index 945d8e9b0..7e9df6d10 100644
--- a/services/localzone.c
+++ b/services/localzone.c
@@ -1282,6 +1282,50 @@ local_encode(struct query_info* qinfo, struct module_env* env,
 	return 1;
 }
 
+/** encode answer consisting of 1 rrset (with EDE code) */
+static int
+local_encode_ede(struct query_info* qinfo, struct module_env* env,
+	struct edns_data* edns, struct comm_reply* repinfo, sldns_buffer* buf,
+	struct regional* temp, struct ub_packed_rrset_key* rrset, int ansec,
+	int rcode, sldns_ede_code ede_code, const char* ede_txt)
+{
+	struct reply_info rep;
+	uint16_t udpsize;
+	/* make answer with time=0 for fixed TTL values */
+	memset(&rep, 0, sizeof(rep));
+	rep.flags = (uint16_t)((BIT_QR | BIT_AA | BIT_RA) | rcode);
+	rep.qdcount = 1;
+	if(ansec)
+		rep.an_numrrsets = 1;
+	else	rep.ns_numrrsets = 1;
+	rep.rrset_count = 1;
+	rep.rrsets = &rrset;
+	udpsize = edns->udp_size;
+	edns->edns_version = EDNS_ADVERTISED_VERSION;
+	edns->udp_size = EDNS_ADVERTISED_SIZE;
+	edns->ext_rcode = 0;
+	edns->bits &= EDNS_DO;
+	if(!inplace_cb_reply_local_call(env, qinfo, NULL, &rep, rcode, edns,
+		repinfo, temp, env->now_tv)) {
+		error_encode(buf, (LDNS_RCODE_SERVFAIL|BIT_AA), qinfo,
+			*(uint16_t*)sldns_buffer_begin(buf),
+			sldns_buffer_read_u16_at(buf, 2), edns);
+	} else {
+		edns_opt_append_ede(edns, temp, ede_code, ede_txt);
+
+		if(!reply_info_answer_encode(qinfo, &rep,
+			*(uint16_t*)sldns_buffer_begin(buf), sldns_buffer_read_u16_at(buf, 2),
+			buf, 0, 0, temp, udpsize, edns, (int)(edns->bits&EDNS_DO), 0)) {
+			/* @TODO: Do we need EDE here? Which one? */
+			error_encode(buf, (LDNS_RCODE_SERVFAIL|BIT_AA), qinfo,
+				*(uint16_t*)sldns_buffer_begin(buf),
+				sldns_buffer_read_u16_at(buf, 2), edns);
+		}
+	}
+	return 1;
+}
+
+
 /** encode local error answer */
 static void
 local_error_encode(struct query_info* qinfo, struct module_env* env,
@@ -1633,9 +1677,9 @@ local_zones_zone_answer(struct local_zone* z, struct module_env* env,
 		if(z->soa && z->soa_negative)
 			return local_encode(qinfo, env, edns, repinfo, buf, temp,
 				z->soa_negative, 0, rcode);
-		/* NODATA or NXDOMAIN: No EDE needed */
-		local_error_encode(qinfo, env, edns, repinfo, buf, temp, rcode,
-			(rcode|BIT_AA));
+		local_error_encode_ede(qinfo, env, edns, repinfo, buf, temp,
+			rcode, (rcode|BIT_AA),
+			LDNS_EDE_BLOCKED, "");
 		return 1;
 	} else if(lz_type == local_zone_typetransparent
 		|| lz_type == local_zone_always_transparent) {
@@ -1673,8 +1717,8 @@ local_zones_zone_answer(struct local_zone* z, struct module_env* env,
 			d.rr_len = &rr_len;
 			d.rr_data = &rr_datas;
 			d.rr_ttl = &rr_ttl;
-			return local_encode(qinfo, env, edns, repinfo, buf, temp,
-				&lrr, 1, LDNS_RCODE_NOERROR);
+			return local_encode_ede(qinfo, env, edns, repinfo, buf, temp,
+				&lrr, 1, LDNS_RCODE_NOERROR, LDNS_EDE_FORGED_ANSWER, "");
 		} else {
 			/* NODATA: No EDE needed */
 			local_error_encode(qinfo, env, edns, repinfo, buf,