return 1;
}
-static unsigned int search_servers(time_t now, struct all_addr **addrpp,
- unsigned int qtype, char *qdomain, int *type, char **domain, int *norebind)
+static unsigned int search_servers(time_t now, struct all_addr **addrpp, unsigned int qtype,
+ char *qdomain, int *type, char **domain, int *norebind)
{
/* If the query ends in the domain in one of our servers, set
if (domainlen >= matchlen)
{
- *type = serv->flags & (SERV_HAS_DOMAIN | SERV_USE_RESOLV | SERV_NO_REBIND);
+ *type = serv->flags & (SERV_HAS_DOMAIN | SERV_USE_RESOLV | SERV_NO_REBIND | SERV_DO_DNSSEC);
*domain = serv->domain;
matchlen = domainlen;
if (serv->flags & SERV_NO_ADDR)
struct frec *forward, int ad_reqd, int do_bit)
{
char *domain = NULL;
- int type = 0, norebind = 0;
+ int type = SERV_DO_DNSSEC, norebind = 0;
struct all_addr *addrp = NULL;
unsigned int flags = 0;
struct server *start = NULL;
#ifdef HAVE_DNSSEC
void *hash = hash_questions(header, plen, daemon->namebuff);
+ int do_dnssec = 0;
#else
unsigned int crc = questions_crc(header, plen, daemon->namebuff);
void *hash = &crc;
daemon->last_server = NULL;
}
type = forward->sentto->flags & SERV_TYPE;
+#ifdef HAVE_DNSSEC
+ do_dnssec = forward->sentto->flags & SERV_DO_DNSSEC;
+#endif
+
if (!(start = forward->sentto->next))
start = daemon->servers; /* at end of list, recycle */
header->id = htons(forward->new_id);
if (gotname)
flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
+#ifdef HAVE_DNSSEC
+ do_dnssec = type & SERV_DO_DNSSEC;
+ type &= ~SERV_DO_DNSSEC;
+#endif
+
if (!flags && !(forward = get_new_frec(now, NULL, 0)))
/* table full - server failure. */
flags = F_NEG;
}
#ifdef HAVE_DNSSEC
- if (option_bool(OPT_DNSSEC_VALID) && !(type & SERV_HAS_DOMAIN))
+ if (option_bool(OPT_DNSSEC_VALID) && do_dnssec)
{
size_t new = add_do_bit(header, plen, ((unsigned char *) header) + PACKETSZ);
no_cache_dnssec = 1;
#ifdef HAVE_DNSSEC
- if (server && !(server->flags & SERV_HAS_DOMAIN) &&
+ if (server && (server->flags & SERV_DO_DNSSEC) &&
option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED))
{
int status = 0;
if (gotname)
flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
+#ifdef HAVE_DNSSEC
+ type &= ~SERV_DO_DNSSEC;
+#endif
+
if (type != 0 || option_bool(OPT_ORDER) || !daemon->last_server)
last_server = daemon->servers;
else
}
#ifdef HAVE_DNSSEC
- if (option_bool(OPT_DNSSEC_VALID))
+ if (option_bool(OPT_DNSSEC_VALID) && (last_server->flags & SERV_DO_DNSSEC))
{
new_size = add_do_bit(header, size, ((unsigned char *) header) + 65536);
#endif
#ifdef HAVE_DNSSEC
- if (option_bool(OPT_DNSSEC_VALID) && !checking_disabled)
+ if (option_bool(OPT_DNSSEC_VALID) && !checking_disabled && (last_server->flags & SERV_DO_DNSSEC))
{
int keycount = DNSSEC_WORK; /* Limit to number of DNSSEC questions, to catch loops and avoid filling cache. */
int status = tcp_key_recurse(now, STAT_OK, header, m, 0, daemon->namebuff, daemon->keyname, last_server, &keycount);
if (!option_bool(OPT_NOWILD))
enumerate_interfaces(0);
+#ifdef HAVE_DNSSEC
+ /* Disable DNSSEC validation when using server=/domain/.... servers
+ unless there's a configured trust anchor. */
+ for (serv = daemon->servers; serv; serv = serv->next)
+ serv->flags |= SERV_DO_DNSSEC;
+#endif
+
for (serv = daemon->servers; serv; serv = serv->next)
{
- if (!(serv->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR | SERV_USE_RESOLV | SERV_NO_REBIND)))
+ if (!(serv->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR | SERV_USE_RESOLV | SERV_NO_REBIND)))
{
- port = prettyprint_addr(&serv->addr, daemon->namebuff);
+#ifdef HAVE_DNSSEC
+ if (option_bool(OPT_DNSSEC_VALID) && (serv->flags & SERV_HAS_DOMAIN))
+ {
+ struct ds_config *ds;
+ char *domain = serv->domain;
+
+ /* .example.com is valid */
+ while (*domain == '.')
+ domain++;
+
+ for (ds = daemon->ds; ds; ds = ds->next)
+ if (ds->name[0] != 0 && hostname_isequal(domain, ds->name))
+ break;
+ if (!ds)
+ serv->flags &= ~SERV_DO_DNSSEC;
+ }
+#endif
+
+ port = prettyprint_addr(&serv->addr, daemon->namebuff);
+
/* 0.0.0.0 is nothing, the stack treats it like 127.0.0.1 */
if (serv->addr.sa.sa_family == AF_INET &&
serv->addr.in.sin_addr.s_addr == 0)
{
if (serv->flags & (SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_USE_RESOLV))
{
- char *s1, *s2;
+ char *s1, *s2, *s3 = "";
+#ifdef HAVE_DNSSEC
+ if (option_bool(OPT_DNSSEC_VALID) && !(serv->flags & SERV_DO_DNSSEC))
+ s3 = _("(no DNSSEC)");
+#endif
if (!(serv->flags & SERV_HAS_DOMAIN))
s1 = _("unqualified"), s2 = _("names");
else if (strlen(serv->domain) == 0)
else if (serv->flags & SERV_USE_RESOLV)
my_syslog(LOG_INFO, _("using standard nameservers for %s %s"), s1, s2);
else
- my_syslog(LOG_INFO, _("using nameserver %s#%d for %s %s"), daemon->namebuff, port, s1, s2);
+ my_syslog(LOG_INFO, _("using nameserver %s#%d for %s %s %s"), daemon->namebuff, port, s1, s2, s3);
}
#ifdef HAVE_LOOP
else if (serv->flags & SERV_LOOP)
projects / people / ms / dnsmasq.git / commitdiff
