Commit Diff
Diff:
10ee03c1013cee72c867688526b18351be08964f
0d5ad39a551f5d03276edc4f5234fe7f15286d12
Commit:
0d5ad39a551f5d03276edc4f5234fe7f15286d12
Tree:
0d29211ee77611388e47421d45bb25798c40e823
Author:
pjp <pjp@delphinusdns.org>
Committer:
pjp <pjp@delphinusdns.org>
Date:
Sun Apr 7 15:18:27 2019 UTC
Message:
when sharing signed and non-signed zones, looking up a non-signed zone with the DO bit set caused a TC answer in all cases. This fix flags an RRSET (rbtree) with a dnssec flag and unless there is an RRSIG on the RRSET it will not be attempted to answer with an RRSIG (which before this fix would cause the TC bit) Tested on OpenBSD on internal zones
blob - 50f1820fac53ab56eae5c0633162e7746fa7719d
blob + 9ab2e1ee8d7ea43b2d62fcce8b5628be3167689c
--- db.c
+++ db.c
@@ -27,7 +27,7 @@
*/
/*
- * $Id: db.c,v 1.10 2019/02/19 11:49:54 pjp Exp $
+ * $Id: db.c,v 1.11 2019/04/07 15:18:27 pjp Exp $
*/
#include "ddd-include.h"
@@ -40,6 +40,7 @@ struct rrset * find_rr(struct rbtree *rbt, u_int16_t r
int add_rr(struct rbtree *rbt, char *name, int len, u_int16_t rrtype, void *rdata);
int display_rr(struct rrset *rrset);
int rotate_rr(struct rrset *rrset);
+void flag_rr(struct rbtree *rbt);
extern void dolog(int, char *, ...);
@@ -170,6 +171,7 @@ create_rr(ddDB *db, char *name, int len, int type, voi
rbt->zonelen = len;
humanname = convert_name(name, len);
strlcpy(rbt->humanname, humanname, sizeof(rbt->humanname));
+ rbt->dnssec = 0; /* by default not dnssec'ed */
TAILQ_INIT(&rbt->rrset_head);
}
@@ -303,6 +305,12 @@ find_rr(struct rbtree *rbt, u_int16_t rrtype)
}
return (rp);
+}
+
+void
+flag_rr(struct rbtree *rbt)
+{
+ rbt->dnssec = 1;
}
int
blob - fb43a42b41141cb14bbd5e605d3622e4412b0d54
blob + a5f9f96c514dc56828cdfdb827db9f54d7a36974
--- ddd-db.h
+++ ddd-db.h
@@ -27,7 +27,7 @@
*/
/*
- * $Id: ddd-db.h,v 1.16 2019/02/24 07:14:02 pjp Exp $
+ * $Id: ddd-db.h,v 1.17 2019/04/07 15:18:27 pjp Exp $
*/
#ifndef _DB_H
@@ -324,6 +324,7 @@ struct rbtree {
char zone[DNS_MAXNAME];
int zonelen;
char humanname[DNS_MAXNAME + 1];
+ int dnssec;
TAILQ_HEAD(, rrset) rrset_head;
};
blob - d2509f48a73b67ea5e399af6f54581e7555d6615
blob + bdb026aa9c13b48db7e9959fa588b6541db22878
--- parse.y
+++ parse.y
@@ -21,7 +21,7 @@
*/
/*
- * $Id: parse.y,v 1.63 2019/02/26 07:45:56 pjp Exp $
+ * $Id: parse.y,v 1.64 2019/04/07 15:18:27 pjp Exp $
*/
%{
@@ -54,6 +54,7 @@ extern struct rbtree * find_rrset(ddDB *db, char *name
extern struct rrset * find_rr(struct rbtree *rbt, u_int16_t rrtype);
extern int add_rr(struct rbtree *rbt, char *name, int len, u_int16_t rrtype, void *rdata);
extern int display_rr(struct rrset *rrset);
+extern void flag_rr(struct rbtree *);
extern int whitelist;
@@ -2117,6 +2118,7 @@ int
fill_rrsig(char *name, char *type, u_int32_t myttl, char *typecovered, u_int8_t algorithm, u_int8_t labels, u_int32_t original_ttl, u_int64_t sig_expiration, u_int64_t sig_inception, u_int16_t keytag, char *signers_name, char *signature)
{
ddDB *db = mydb;
+ ddDBT key, data;
struct rbtree *rbt;
struct rrsig *rrsig;
int converted_namelen, signers_namelen;
@@ -2200,7 +2202,23 @@ fill_rrsig(char *name, char *type, u_int32_t myttl, ch
dolog(LOG_ERR, "create_rr failed\n");
return -1;
}
-
+
+ /* flag this rrset as being a DNSSEC rrset */
+
+ flag_rr(rbt);
+
+ memset(&key, 0, sizeof(key));
+ memset(&data, 0, sizeof(data));
+
+ key.data = (char *)converted_name;
+ key.size = converted_namelen;
+
+ data.data = (void*)rbt;
+ data.size = sizeof(struct rbtree);
+
+ if (db->put(db, &key, &data) != 0) {
+ return NULL;
+ }
if (signers_name2)
free(signers_name2);
blob - 5872842f92a3cbbc99ae709b93e03b5f5220ff81
blob + bc8f2b0862d13d4f8511cf221ac8c846f659f51b
--- reply.c
+++ reply.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005-2018 Peter J. Philipp
+ * Copyright (c) 2005-2019 Peter J. Philipp
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -27,7 +27,7 @@
*/
/*
- * $Id: reply.c,v 1.75 2019/02/28 08:54:29 pjp Exp $
+ * $Id: reply.c,v 1.76 2019/04/07 15:18:27 pjp Exp $
*/
#include "ddd-include.h"
@@ -235,7 +235,7 @@ reply_a(struct sreply *sreply, ddDB *db)
odh->answer = htons(a_count);
/* Add RRSIG reply_a */
- if (dnssec && q->dnssecok) {
+ if (dnssec && q->dnssecok && rbt->dnssec) {
int tmplen = 0;
int origlen = outlen;
@@ -446,7 +446,7 @@ reply_nsec3param(struct sreply *sreply, ddDB *db)
/* Add RRSIG reply_nsec3 */
- if (dnssec && q->dnssecok) {
+ if (dnssec && q->dnssecok && rbt->dnssec) {
int tmplen = 0;
int origlen = outlen;
@@ -671,7 +671,7 @@ reply_nsec3(struct sreply *sreply, ddDB *db)
/* Add RRSIG reply_nsec3 */
- if (dnssec && q->dnssecok) {
+ if (dnssec && q->dnssecok && rbt->dnssec) {
int tmplen = 0;
int origlen = outlen;
@@ -865,7 +865,7 @@ reply_nsec(struct sreply *sreply, ddDB *db)
/* Add RRSIG reply_nsec */
- if (dnssec && q->dnssecok) {
+ if (dnssec && q->dnssecok && rbt->dnssec) {
int tmplen = 0;
int origlen = outlen;
@@ -1059,7 +1059,7 @@ reply_ds(struct sreply *sreply, ddDB *db)
odh->answer = htons(a_count);
/* Add RRSIG reply_ds */
- if (dnssec && q->dnssecok) {
+ if (dnssec && q->dnssecok && rbt->dnssec) {
int tmplen = 0;
int origlen = outlen;
@@ -1256,7 +1256,7 @@ reply_dnskey(struct sreply *sreply, ddDB *db)
odh->answer = htons(dnskey_count);
/* Add RRSIG reply_dnskey */
- if (dnssec && q->dnssecok) {
+ if (dnssec && q->dnssecok && rbt->dnssec) {
int tmplen = 0;
int origlen = outlen;
@@ -1593,7 +1593,7 @@ reply_aaaa(struct sreply *sreply, ddDB *db)
odh->answer = htons(aaaa_count);
/* RRSIG reply_aaaa */
- if (dnssec && q->dnssecok) {
+ if (dnssec && q->dnssecok && rbt->dnssec) {
int tmplen = 0;
int origlen = outlen;
@@ -1787,7 +1787,7 @@ reply_mx(struct sreply *sreply, ddDB *db)
/* RRSIG reply_mx*/
- if (dnssec && q->dnssecok) {
+ if (dnssec && q->dnssecok && rbt->dnssec) {
int origlen = outlen;
tmplen = additional_rrsig(q->hdr->name, q->hdr->namelen, DNS_TYPE_MX, rbt, reply, replysize, outlen, 0);
@@ -1984,7 +1984,7 @@ reply_ns(struct sreply *sreply, ddDB *db)
/* add RRSIG reply_ns */
- if (dnssec && q->dnssecok) {
+ if (dnssec && q->dnssecok && rbt->dnssec) {
int origlen = outlen;
tmplen = additional_rrsig(q->hdr->name, q->hdr->namelen, DNS_TYPE_NS, rbt, reply, replysize, outlen, 0);
@@ -2182,7 +2182,7 @@ reply_cname(struct sreply *sreply, ddDB *db)
answer->rdlength = htons(&reply[outlen] - &answer->rdata);
- if (dnssec && q->dnssecok) {
+ if (dnssec && q->dnssecok && rbt->dnssec) {
tmplen = additional_rrsig(q->hdr->name, q->hdr->namelen, DNS_TYPE_CNAME, rbt, reply, replysize, outlen, 0);
if (tmplen == 0) {
@@ -2213,7 +2213,7 @@ reply_cname(struct sreply *sreply, ddDB *db)
odh->answer += addcount;
HTONS(odh->answer);
- if (dnssec && q->dnssecok) {
+ if (dnssec && q->dnssecok && rbt1->dnssec) {
tmplen = additional_rrsig(((struct cname *)rrp->rdata)->cname, ((struct cname *)rrp->rdata)->cnamelen, DNS_TYPE_A, rbt1, reply, replysize, outlen, 0);
if (tmplen == 0) {
@@ -2243,7 +2243,7 @@ reply_cname(struct sreply *sreply, ddDB *db)
odh->answer += addcount;
HTONS(odh->answer);
- if (dnssec && q->dnssecok) {
+ if (dnssec && q->dnssecok && rbt1->dnssec) {
tmplen = additional_rrsig(((struct cname *)rrp->rdata)->cname, ((struct cname *)rrp->rdata)->cnamelen, DNS_TYPE_AAAA, rbt1, reply, replysize, outlen, 0);
if (tmplen == 0) {
@@ -2273,7 +2273,7 @@ reply_cname(struct sreply *sreply, ddDB *db)
odh->answer += addcount;
HTONS(odh->answer);
- if (dnssec && q->dnssecok) {
+ if (dnssec && q->dnssecok && rbt1->dnssec) {
tmplen = additional_rrsig(((struct cname *)rrp->rdata)->cname, ((struct cname *)rrp->rdata)->cnamelen, DNS_TYPE_MX, rbt1, reply, replysize, outlen, 0);
if (tmplen == 0) {
@@ -2303,7 +2303,7 @@ reply_cname(struct sreply *sreply, ddDB *db)
odh->answer += addcount;
HTONS(odh->answer);
- if (dnssec && q->dnssecok) {
+ if (dnssec && q->dnssecok && rbt1->dnssec) {
tmplen = additional_rrsig(((struct cname *)rrp->rdata)->cname, ((struct cname *)rrp->rdata)->cnamelen, DNS_TYPE_PTR, rbt1, reply, replysize, outlen, 0);
if (tmplen == 0) {
@@ -2493,7 +2493,7 @@ reply_ptr(struct sreply *sreply, ddDB *db)
answer->rdlength = htons(&reply[outlen] - &answer->rdata);
- if (dnssec && q->dnssecok) {
+ if (dnssec && q->dnssecok && rbt->dnssec) {
tmplen = additional_rrsig(q->hdr->name, q->hdr->namelen, DNS_TYPE_PTR, rbt, reply, replysize, outlen, 0);
if (tmplen == 0) {
@@ -2746,7 +2746,7 @@ reply_soa(struct sreply *sreply, ddDB *db)
answer->rdlength = htons(&reply[outlen] - &answer->rdata);
/* RRSIG reply_soa */
- if (dnssec && q->dnssecok) {
+ if (dnssec && q->dnssecok && rbt->dnssec) {
int tmplen = 0;
int origlen = outlen;
@@ -2921,7 +2921,7 @@ reply_txt(struct sreply *sreply, ddDB *db)
answer->rdlength = htons(((struct txt *)rrp->rdata)->txtlen + 1);
/* Add RRSIG reply_txt */
- if (dnssec && q->dnssecok) {
+ if (dnssec && q->dnssecok && rbt->dnssec) {
int tmplen = 0;
int origlen = outlen;
@@ -3242,7 +3242,7 @@ reply_tlsa(struct sreply *sreply, ddDB *db)
odh->answer = htons(tlsa_count);
/* RRSIG reply_tlsa */
- if (dnssec && q->dnssecok) {
+ if (dnssec && q->dnssecok && rbt->dnssec) {
int tmplen = 0;
int origlen = outlen;
@@ -3430,7 +3430,7 @@ reply_sshfp(struct sreply *sreply, ddDB *db)
odh->answer = htons(sshfp_count);
/* RRSIG reply_sshfp */
- if (dnssec && q->dnssecok) {
+ if (dnssec && q->dnssecok && rbt->dnssec) {
int tmplen = 0;
int origlen = outlen;
@@ -3654,7 +3654,7 @@ reply_naptr(struct sreply *sreply, ddDB *db)
/* RRSIG reply_naptr*/
- if (dnssec && q->dnssecok) {
+ if (dnssec && q->dnssecok && rbt->dnssec) {
int origlen = outlen;
tmplen = additional_rrsig(q->hdr->name, q->hdr->namelen, DNS_TYPE_NAPTR, rbt, reply, replysize, outlen, 0);
@@ -3848,7 +3848,7 @@ reply_srv(struct sreply *sreply, ddDB *db)
odh->answer = htons(srv_count);
- if (dnssec && q->dnssecok) {
+ if (dnssec && q->dnssecok && rbt->dnssec) {
int origlen = outlen;
tmplen = additional_rrsig(q->hdr->name, q->hdr->namelen, DNS_TYPE_SRV, rbt, reply, replysize, outlen, 0);
@@ -4223,7 +4223,7 @@ reply_nxdomain(struct sreply *sreply, ddDB *db)
answer->rdlength = htons(&reply[outlen] - &answer->rdata);
/* RRSIG reply_nxdomain */
- if (dnssec && q->dnssecok) {
+ if (dnssec && q->dnssecok && rbt->dnssec) {
int tmplen = 0;
int origlen = outlen;
@@ -4851,7 +4851,7 @@ reply_noerror(struct sreply *sreply, ddDB *db)
answer->rdlength = htons(&reply[outlen] - &answer->rdata);
/* RRSIG reply_nxdomain */
- if (dnssec && q->dnssecok) {
+ if (dnssec && q->dnssecok && rbt->dnssec) {
int tmplen = 0;
int origlen = outlen;
repomaster@centroid.eu