From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Thu, 21 Apr 2016 15:27:38 +0000 (+0200)
Subject: Treat AD bit in query header correctly
X-Git-Tag: rec-4.0.0-alpha3~26^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f3fe4ae63439992f080a8965a1975c2d60a5b189;p=thirdparty%2Fpdns.git

Treat AD bit in query header correctly
---

diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index 3cee6bde20..33ef3437a8 100644
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -925,48 +925,48 @@ void startDoResolve(void *p)
     else {
       pw.getHeader()->rcode=res;
 
-      // FIXME: haveEDNS is not the way to handle initiation of validation, we
-      // should look for the AD bit in the header, see #3682
-      if(haveEDNS || g_dnssecmode == DNSSECMode::ValidateAll || g_dnssecmode==DNSSECMode::ValidateForLog) {
-	if(g_dnssecmode != DNSSECMode::Off && ((edo.d_Z & EDNSOpts::DNSSECOK) || g_dnssecmode == DNSSECMode::ValidateAll || g_dnssecmode==DNSSECMode::ValidateForLog)) {
+      // Does the validation mode or query demand validation?
+      if(g_dnssecmode == DNSSECMode::ValidateAll || g_dnssecmode==DNSSECMode::ValidateForLog || (dc->d_mdp.d_header.ad && g_dnssecmode==DNSSECMode::Process)) {
+        if(sr.doLog()) {
+          L<<Logger::Warning<<"Starting validation of answer to "<<dc->d_mdp.d_qname<<" for "<<dc->d_remote.toStringWithPort()<<endl;
+        }
+
+        auto state=validateRecords(ret);
+        if(state == Secure) {
           if(sr.doLog()) {
-            L<<Logger::Warning<<"Starting validation of answer to "<<dc->d_mdp.d_qname<<" for "<<dc->d_remote.toStringWithPort()<<endl;
+            L<<Logger::Warning<<"Answer to "<<dc->d_mdp.d_qname<<" for "<<dc->d_remote.toStringWithPort()<<" validates correctly"<<endl;
+          }
+
+          // Is the query source interested in the value of the ad-bit?
+          if (dc->d_mdp.d_header.ad)
+            pw.getHeader()->ad=1;
+        }
+        else if(state == Insecure) {
+          if(sr.doLog()) {
+            L<<Logger::Warning<<"Answer to "<<dc->d_mdp.d_qname<<" for "<<dc->d_remote.toStringWithPort()<<" validates as Insecure"<<endl;
+          }
+
+          pw.getHeader()->ad=0;
+        }
+        else if(state == Bogus) {
+          if(sr.doLog()) {
+            L<<Logger::Warning<<"Answer to "<<dc->d_mdp.d_qname<<" for "<<dc->d_remote.toStringWithPort()<<" validates as Bogus"<<endl;
           }
-	  auto state=validateRecords(ret);
-	  if(state == Secure) {
-            if(sr.doLog()) {
-              L<<Logger::Warning<<"Answer to "<<dc->d_mdp.d_qname<<" for "<<dc->d_remote.toStringWithPort()<<" validates correctly"<<endl;
-            }
-          
-	    pw.getHeader()->ad=1;
-	  }
-	  else if(state == Insecure) {
-            if(sr.doLog()) {
-              L<<Logger::Warning<<"Answer to "<<dc->d_mdp.d_qname<<" for "<<dc->d_remote.toStringWithPort()<<" validates as Insecure"<<endl;
-            }
 
-	    pw.getHeader()->ad=0;
-	  }
-	  else if(state == Bogus ) {
+          // Does the query or validation mode sending out a SERVFAIL on validation errors?
+          if(!pw.getHeader()->cd && (g_dnssecmode == DNSSECMode::ValidateAll || (dc->d_mdp.d_header.ad && g_dnssecmode != DNSSECMode::Off))) {
             if(sr.doLog()) {
-              L<<Logger::Warning<<"Answer to "<<dc->d_mdp.d_qname<<" for "<<dc->d_remote.toStringWithPort()<<" validates as Bogus"<<endl;
+              L<<Logger::Warning<<"Sending out SERVFAIL for "<<dc->d_mdp.d_qname<<" because recursor or query demands it for Bogus results"<<endl;
             }
-            
-            if(!pw.getHeader()->cd && (g_dnssecmode == DNSSECMode::ValidateAll || (edo.d_Z & EDNSOpts::DNSSECOK))) {
-              if(sr.doLog()) {
-                L<<Logger::Warning<<"Sending out SERVFAIL for "<<dc->d_mdp.d_qname<<" because recursor or query demands it for Bogus results"<<endl;
-              }
-
-              pw.getHeader()->rcode=RCode::ServFail;
-              goto sendit;
-            } else {
-              if(sr.doLog()) {
-                L<<Logger::Warning<<"Not sending out SERVFAIL for "<<dc->d_mdp.d_qname<<" Bogus validation since neither config nor query demands this"<<endl;
-              }
 
+            pw.getHeader()->rcode=RCode::ServFail;
+            goto sendit;
+          } else {
+            if(sr.doLog()) {
+              L<<Logger::Warning<<"Not sending out SERVFAIL for "<<dc->d_mdp.d_qname<<" Bogus validation since neither config nor query demands this"<<endl;
             }
-	  }
-	}
+          }
+        }
       }