Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 18:28:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Remove the concept of "DNSSEC incapable servers".

Browse Source 
We're going to replace this with configured or extrapolated DS records.
This commit is contained in:
Simon Kelley
2025-02-02 16:21:21 +00:00
parent 9af15871e6
commit 3e659bd4ec
3 changed files with 9 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/forward.c
View File

@@ -375,7 +375,7 @@ static void forward_query(int udpfd, union mysockaddr *udpaddr,
forward->flags = fwd_flags;
#ifdef HAVE_DNSSEC
if (option_bool(OPT_DNSSEC_VALID) && (master->flags & SERV_DO_DNSSEC))
if (option_bool(OPT_DNSSEC_VALID))
{
plen = add_do_bit(header, plen, ((unsigned char *) header) + daemon->edns_pktsz);
@@ -954,8 +954,7 @@ static void dnssec_validate(struct frec *forward, struct dns_header *header,
status = dnssec_validate_ds(now, header, plen, daemon->namebuff, daemon->keyname, forward->class, &orig->validate_counter);
else
status = dnssec_validate_reply(now, header, plen, daemon->namebuff, daemon->keyname, &forward->class,
!option_bool(OPT_DNSSEC_IGN_NS) && (forward->sentto->flags & SERV_DO_DNSSEC),
NULL, NULL, NULL, &orig->validate_counter);
!option_bool(OPT_DNSSEC_IGN_NS), NULL, NULL, NULL, &orig->validate_counter);
if (STAT_ISEQUAL(status, STAT_ABANDONED))
log_resource = 1;
@@ -1278,7 +1277,7 @@ void reply_query(int fd, time_t now)
#ifdef HAVE_DNSSEC
if (option_bool(OPT_DNSSEC_VALID))
{
if ((forward->sentto->flags & SERV_DO_DNSSEC) && !(forward->flags & FREC_CHECKING_DISABLED))
if (!(forward->flags & FREC_CHECKING_DISABLED))
{
dnssec_validate(forward, header, n, STAT_OK, now);
return;
@@ -2271,8 +2270,7 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
new_status = dnssec_validate_ds(now, header, n, name, keyname, class, validatecount);
else
new_status = dnssec_validate_reply(now, header, n, name, keyname, &class,
!option_bool(OPT_DNSSEC_IGN_NS) && (server->flags & SERV_DO_DNSSEC),
NULL, NULL, NULL, validatecount);
!option_bool(OPT_DNSSEC_IGN_NS), NULL, NULL, NULL, validatecount);
if (!STAT_ISEQUAL(new_status, STAT_NEED_DS) && !STAT_ISEQUAL(new_status, STAT_NEED_KEY) && !STAT_ISEQUAL(new_status, STAT_ABANDONED))
break;
@@ -2598,7 +2596,7 @@ unsigned char *tcp_request(int confd, time_t now,
start = master->last_server;
#ifdef HAVE_DNSSEC
if (option_bool(OPT_DNSSEC_VALID) && (master->flags & SERV_DO_DNSSEC))
if (option_bool(OPT_DNSSEC_VALID))
{
size = add_do_bit(header, size, ((unsigned char *) header) + 65536);
@@ -2627,7 +2625,7 @@ unsigned char *tcp_request(int confd, time_t now,
if (checking_disabled || (header->hb4 & HB4_CD))
no_cache_dnssec = 1;
else if (master->flags & SERV_DO_DNSSEC)
else
{
int keycount = daemon->limit[LIMIT_WORK]; /* Limit to number of DNSSEC questions, to catch loops and avoid filling cache. */
int validatecount = daemon->limit[LIMIT_CRYPTO];