From 3e659bd4ec6525ebe4518fd10b8e183997f46351 Mon Sep 17 00:00:00 2001 From: Simon Kelley Date: Sun, 2 Feb 2025 16:21:21 +0000 Subject: [PATCH] Remove the concept of "DNSSEC incapable servers". We're going to replace this with configured or extrapolated DS records. --- src/domain-match.c | 11 +++-------- src/forward.c | 14 ++++++-------- src/network.c | 31 ------------------------------- 3 files changed, 9 insertions(+), 47 deletions(-) diff --git a/src/domain-match.c b/src/domain-match.c index 80a3602..e8204c8 100644 --- a/src/domain-match.c +++ b/src/domain-match.c @@ -94,8 +94,7 @@ void build_server_array(void) server=/.example.com/ works. A flag of F_SERVER returns an upstream server only. - A flag of F_DNSSECOK returns a DNSSEC capable server only and - also disables NODOTS servers from consideration. + A flag of F_DNSSECOK disables NODOTS servers from consideration. A flag of F_DOMAINSRV returns a domain-specific server only. A flag of F_CONFIG returns anything that generates a local reply of IPv4 or IPV6. @@ -338,12 +337,8 @@ int filter_servers(int seed, int flags, int *lowout, int *highout) if (i != nlow) { - /* If we want a server that can do DNSSEC, and this one can't, - return nothing, similarly if were looking only for a server - for a particular domain. */ - if ((flags & F_DNSSECOK) && !(daemon->serverarray[nlow]->flags & SERV_DO_DNSSEC)) - nlow = nhigh; - else if ((flags & F_DOMAINSRV) && daemon->serverarray[nlow]->domain_len == 0) + /* If we want a server for a particular domain, and this one isn't, return nothing. */ + if ((flags & F_DOMAINSRV) && daemon->serverarray[nlow]->domain_len == 0) nlow = nhigh; else nhigh = i; diff --git a/src/forward.c b/src/forward.c index 28b6ffd..00e4284 100644 --- a/src/forward.c +++ b/src/forward.c @@ -375,7 +375,7 @@ static void forward_query(int udpfd, union mysockaddr *udpaddr, forward->flags = fwd_flags; #ifdef HAVE_DNSSEC - if (option_bool(OPT_DNSSEC_VALID) && (master->flags & SERV_DO_DNSSEC)) + if (option_bool(OPT_DNSSEC_VALID)) { plen = add_do_bit(header, plen, ((unsigned char *) header) + daemon->edns_pktsz); @@ -954,8 +954,7 @@ static void dnssec_validate(struct frec *forward, struct dns_header *header, status = dnssec_validate_ds(now, header, plen, daemon->namebuff, daemon->keyname, forward->class, &orig->validate_counter); else status = dnssec_validate_reply(now, header, plen, daemon->namebuff, daemon->keyname, &forward->class, - !option_bool(OPT_DNSSEC_IGN_NS) && (forward->sentto->flags & SERV_DO_DNSSEC), - NULL, NULL, NULL, &orig->validate_counter); + !option_bool(OPT_DNSSEC_IGN_NS), NULL, NULL, NULL, &orig->validate_counter); if (STAT_ISEQUAL(status, STAT_ABANDONED)) log_resource = 1; @@ -1278,7 +1277,7 @@ void reply_query(int fd, time_t now) #ifdef HAVE_DNSSEC if (option_bool(OPT_DNSSEC_VALID)) { - if ((forward->sentto->flags & SERV_DO_DNSSEC) && !(forward->flags & FREC_CHECKING_DISABLED)) + if (!(forward->flags & FREC_CHECKING_DISABLED)) { dnssec_validate(forward, header, n, STAT_OK, now); return; @@ -2271,8 +2270,7 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si new_status = dnssec_validate_ds(now, header, n, name, keyname, class, validatecount); else new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, - !option_bool(OPT_DNSSEC_IGN_NS) && (server->flags & SERV_DO_DNSSEC), - NULL, NULL, NULL, validatecount); + !option_bool(OPT_DNSSEC_IGN_NS), NULL, NULL, NULL, validatecount); if (!STAT_ISEQUAL(new_status, STAT_NEED_DS) && !STAT_ISEQUAL(new_status, STAT_NEED_KEY) && !STAT_ISEQUAL(new_status, STAT_ABANDONED)) break; @@ -2598,7 +2596,7 @@ unsigned char *tcp_request(int confd, time_t now, start = master->last_server; #ifdef HAVE_DNSSEC - if (option_bool(OPT_DNSSEC_VALID) && (master->flags & SERV_DO_DNSSEC)) + if (option_bool(OPT_DNSSEC_VALID)) { size = add_do_bit(header, size, ((unsigned char *) header) + 65536); @@ -2627,7 +2625,7 @@ unsigned char *tcp_request(int confd, time_t now, if (checking_disabled || (header->hb4 & HB4_CD)) no_cache_dnssec = 1; - else if (master->flags & SERV_DO_DNSSEC) + else { int keycount = daemon->limit[LIMIT_WORK]; /* Limit to number of DNSSEC questions, to catch loops and avoid filling cache. */ int validatecount = daemon->limit[LIMIT_CRYPTO]; diff --git a/src/network.c b/src/network.c index 15a38fc..1c71fe3 100644 --- a/src/network.c +++ b/src/network.c @@ -1587,33 +1587,6 @@ void check_servers(int no_loop_check) for (count = 0, serv = daemon->servers; serv; serv = serv->next) { -#ifdef HAVE_DNSSEC - if (option_bool(OPT_DNSSEC_VALID)) - { - if (!(serv->flags & SERV_FOR_NODOTS)) - serv->flags |= SERV_DO_DNSSEC; - - /* Disable DNSSEC validation when using server=/domain/.... servers - unless there's a configured trust anchor. */ - if (strlen(serv->domain) != 0) - { - struct ds_config *ds; - char *domain = serv->domain; - - /* .example.com is valid */ - while (*domain == '.') - domain++; - - for (ds = daemon->ds; ds; ds = ds->next) - if (ds->name[0] != 0 && hostname_isequal(domain, ds->name)) - break; - - if (!ds) - serv->flags &= ~SERV_DO_DNSSEC; - } - } -#endif - port = prettyprint_addr(&serv->addr, daemon->namebuff); /* 0.0.0.0 is nothing, the stack treats it like 127.0.0.1 */ @@ -1659,10 +1632,6 @@ void check_servers(int no_loop_check) { char *s1, *s2, *s3 = "", *s4 = ""; -#ifdef HAVE_DNSSEC - if (option_bool(OPT_DNSSEC_VALID) && !(serv->flags & SERV_DO_DNSSEC)) - s3 = _("(no DNSSEC)"); -#endif if (serv->flags & SERV_FOR_NODOTS) s1 = _("unqualified"), s2 = _("names"); else if (strlen(serv->domain) == 0)