From: Tom Carpay <tom@nlnetlabs.nl>
Date: Mon, 16 Aug 2021 12:46:24 +0000 (+0000)
Subject: Return EDE_DNSSEC_BOGUS when returning bogus answers
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eac4eb3a9e04096a941bdf29c91f5b5b348cfe05;p=thirdparty%2Funbound.git

Return EDE_DNSSEC_BOGUS when returning bogus answers
---

diff --git a/daemon/worker.c b/daemon/worker.c
index 5c324c0ce..53f1e1373 100644
--- a/daemon/worker.c
+++ b/daemon/worker.c
@@ -485,6 +485,8 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,
 				msg->rep, LDNS_RCODE_SERVFAIL, edns, repinfo, worker->scratchpad,
 				worker->env.now_tv))
 					return 0;
+			EDNS_OPT_APPEND_EDE(edns, worker->scratchpad,
+				LDNS_EDE_DNSSEC_BOGUS, "");
 			error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL, 
 				&msg->qinfo, id, flags, edns);
 			if(worker->stats.extended) {
@@ -659,6 +661,8 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
 			LDNS_RCODE_SERVFAIL, edns, repinfo, worker->scratchpad,
 			worker->env.now_tv))
 			goto bail_out;
+		EDNS_OPT_APPEND_EDE(edns, worker->scratchpad,
+			LDNS_EDE_DNSSEC_BOGUS, "");
 		error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL,
 			qinfo, id, flags, edns);
 		rrset_array_unlock_touch(worker->env.rrset_cache,
@@ -1414,19 +1418,13 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 			LDNS_EDE_NOT_AUTHORITATIVE, "Not Authoritative");
 
 
-
-
 		error_encode(c->buffer, LDNS_RCODE_REFUSED, &qinfo,
 			*(uint16_t*)(void *)sldns_buffer_begin(c->buffer),
-			sldns_buffer_read_u16_at(c->buffer, 2), NULL);
+			sldns_buffer_read_u16_at(c->buffer, 2), &edns);
 		regional_free_all(worker->scratchpad);
 		log_addr(VERB_ALGO, "refused nonrec (cache snoop) query from",
 			&repinfo->addr, repinfo->addrlen);
 
-		if(sldns_buffer_capacity(c->buffer) >=
-		   sldns_buffer_limit(c->buffer)+calc_edns_field_size(&edns))
-			attach_edns_record(c->buffer, &edns);
-
 		goto send_reply;
 	}
 
diff --git a/services/mesh.c b/services/mesh.c
index 7931a072f..7252413be 100644
--- a/services/mesh.c
+++ b/services/mesh.c
@@ -1271,6 +1271,16 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
 				&r->edns, &r->query_reply, m->s.region, &r->start_time))
 					r->edns.opt_list = NULL;
 		}
+		/* Send along EDE BOGUS EDNS0 option when answer is bogus */
+		if(rcode == LDNS_RCODE_SERVFAIL &&
+			m->s.env->need_to_validate && (!(r->qflags&BIT_CD) ||
+			m->s.env->cfg->ignore_cd) && rep &&
+			(rep->security <= sec_status_bogus ||
+			rep->security == sec_status_secure_sentinel_fail)) {
+
+			EDNS_OPT_APPEND_EDE(&r->edns, m->s.region,
+					LDNS_EDE_DNSSEC_BOGUS, "");
+		}
 		error_encode(r_buffer, rcode, &m->s.qinfo, r->qid,
 			r->qflags, &r->edns);
 		m->reply_list = NULL;