Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 10:18:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Remove the concept of "DNSSEC incapable servers".

Browse Source 
We're going to replace this with configured or extrapolated DS records.
This commit is contained in:
Simon Kelley
2025-02-02 16:21:21 +00:00
parent 9af15871e6
commit 3e659bd4ec
3 changed files with 9 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/domain-match.c
View File

@@ -94,8 +94,7 @@ void build_server_array(void)
server=/.example.com/ works. server=/.example.com/ works.
A flag of F_SERVER returns an upstream server only. A flag of F_SERVER returns an upstream server only.
A flag of F_DNSSECOK returns a DNSSEC capable server only and A flag of F_DNSSECOK disables NODOTS servers from consideration.
also disables NODOTS servers from consideration.
A flag of F_DOMAINSRV returns a domain-specific server only. A flag of F_DOMAINSRV returns a domain-specific server only.
A flag of F_CONFIG returns anything that generates a local A flag of F_CONFIG returns anything that generates a local
reply of IPv4 or IPV6. reply of IPv4 or IPV6.
@@ -338,12 +337,8 @@ int filter_servers(int seed, int flags, int *lowout, int *highout)
if (i != nlow) if (i != nlow)
{ {
/* If we want a server that can do DNSSEC, and this one can't, /* If we want a server for a particular domain, and this one isn't, return nothing. */
return nothing, similarly if were looking only for a server if ((flags & F_DOMAINSRV) && daemon->serverarray[nlow]->domain_len == 0)
for a particular domain. */
if ((flags & F_DNSSECOK) && !(daemon->serverarray[nlow]->flags & SERV_DO_DNSSEC))
nlow = nhigh;
else if ((flags & F_DOMAINSRV) && daemon->serverarray[nlow]->domain_len == 0)
nlow = nhigh; nlow = nhigh;
else else
nhigh = i; nhigh = i;

14
src/forward.c
View File

@@ -375,7 +375,7 @@ static void forward_query(int udpfd, union mysockaddr *udpaddr,
forward->flags = fwd_flags; forward->flags = fwd_flags;
#ifdef HAVE_DNSSEC #ifdef HAVE_DNSSEC
if (option_bool(OPT_DNSSEC_VALID) && (master->flags & SERV_DO_DNSSEC)) if (option_bool(OPT_DNSSEC_VALID))
{ {
plen = add_do_bit(header, plen, ((unsigned char *) header) + daemon->edns_pktsz); plen = add_do_bit(header, plen, ((unsigned char *) header) + daemon->edns_pktsz);
@@ -954,8 +954,7 @@ static void dnssec_validate(struct frec *forward, struct dns_header *header,
status = dnssec_validate_ds(now, header, plen, daemon->namebuff, daemon->keyname, forward->class, &orig->validate_counter); status = dnssec_validate_ds(now, header, plen, daemon->namebuff, daemon->keyname, forward->class, &orig->validate_counter);
else else
status = dnssec_validate_reply(now, header, plen, daemon->namebuff, daemon->keyname, &forward->class, status = dnssec_validate_reply(now, header, plen, daemon->namebuff, daemon->keyname, &forward->class,
!option_bool(OPT_DNSSEC_IGN_NS) && (forward->sentto->flags & SERV_DO_DNSSEC), !option_bool(OPT_DNSSEC_IGN_NS), NULL, NULL, NULL, &orig->validate_counter);
NULL, NULL, NULL, &orig->validate_counter);
if (STAT_ISEQUAL(status, STAT_ABANDONED)) if (STAT_ISEQUAL(status, STAT_ABANDONED))
log_resource = 1; log_resource = 1;
@@ -1278,7 +1277,7 @@ void reply_query(int fd, time_t now)
#ifdef HAVE_DNSSEC #ifdef HAVE_DNSSEC
if (option_bool(OPT_DNSSEC_VALID)) if (option_bool(OPT_DNSSEC_VALID))
{ {
if ((forward->sentto->flags & SERV_DO_DNSSEC) && !(forward->flags & FREC_CHECKING_DISABLED)) if (!(forward->flags & FREC_CHECKING_DISABLED))
{ {
dnssec_validate(forward, header, n, STAT_OK, now); dnssec_validate(forward, header, n, STAT_OK, now);
return; return;
@@ -2271,8 +2270,7 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
new_status = dnssec_validate_ds(now, header, n, name, keyname, class, validatecount); new_status = dnssec_validate_ds(now, header, n, name, keyname, class, validatecount);
else else
new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, new_status = dnssec_validate_reply(now, header, n, name, keyname, &class,
!option_bool(OPT_DNSSEC_IGN_NS) && (server->flags & SERV_DO_DNSSEC), !option_bool(OPT_DNSSEC_IGN_NS), NULL, NULL, NULL, validatecount);
NULL, NULL, NULL, validatecount);
if (!STAT_ISEQUAL(new_status, STAT_NEED_DS) && !STAT_ISEQUAL(new_status, STAT_NEED_KEY) && !STAT_ISEQUAL(new_status, STAT_ABANDONED)) if (!STAT_ISEQUAL(new_status, STAT_NEED_DS) && !STAT_ISEQUAL(new_status, STAT_NEED_KEY) && !STAT_ISEQUAL(new_status, STAT_ABANDONED))
break; break;
@@ -2598,7 +2596,7 @@ unsigned char *tcp_request(int confd, time_t now,
start = master->last_server; start = master->last_server;
#ifdef HAVE_DNSSEC #ifdef HAVE_DNSSEC
if (option_bool(OPT_DNSSEC_VALID) && (master->flags & SERV_DO_DNSSEC)) if (option_bool(OPT_DNSSEC_VALID))
{ {
size = add_do_bit(header, size, ((unsigned char *) header) + 65536); size = add_do_bit(header, size, ((unsigned char *) header) + 65536);
@@ -2627,7 +2625,7 @@ unsigned char *tcp_request(int confd, time_t now,
if (checking_disabled || (header->hb4 & HB4_CD)) if (checking_disabled || (header->hb4 & HB4_CD))
no_cache_dnssec = 1; no_cache_dnssec = 1;
else if (master->flags & SERV_DO_DNSSEC) else
{ {
int keycount = daemon->limit[LIMIT_WORK]; /* Limit to number of DNSSEC questions, to catch loops and avoid filling cache. */ int keycount = daemon->limit[LIMIT_WORK]; /* Limit to number of DNSSEC questions, to catch loops and avoid filling cache. */
int validatecount = daemon->limit[LIMIT_CRYPTO]; int validatecount = daemon->limit[LIMIT_CRYPTO];

31
src/network.c
View File

@@ -1587,33 +1587,6 @@ void check_servers(int no_loop_check)
for (count = 0, serv = daemon->servers; serv; serv = serv->next) for (count = 0, serv = daemon->servers; serv; serv = serv->next)
{ {
#ifdef HAVE_DNSSEC
if (option_bool(OPT_DNSSEC_VALID))
{
if (!(serv->flags & SERV_FOR_NODOTS))
serv->flags |= SERV_DO_DNSSEC;
/* Disable DNSSEC validation when using server=/domain/.... servers
unless there's a configured trust anchor. */
if (strlen(serv->domain) != 0)
{
struct ds_config *ds;
char *domain = serv->domain;
/* .example.com is valid */
while (*domain == '.')
domain++;
for (ds = daemon->ds; ds; ds = ds->next)
if (ds->name[0] != 0 && hostname_isequal(domain, ds->name))
break;
if (!ds)
serv->flags &= ~SERV_DO_DNSSEC;
}
}
#endif
port = prettyprint_addr(&serv->addr, daemon->namebuff); port = prettyprint_addr(&serv->addr, daemon->namebuff);
/* 0.0.0.0 is nothing, the stack treats it like 127.0.0.1 */ /* 0.0.0.0 is nothing, the stack treats it like 127.0.0.1 */
@@ -1659,10 +1632,6 @@ void check_servers(int no_loop_check)
{ {
char *s1, *s2, *s3 = "", *s4 = ""; char *s1, *s2, *s3 = "", *s4 = "";
#ifdef HAVE_DNSSEC
if (option_bool(OPT_DNSSEC_VALID) && !(serv->flags & SERV_DO_DNSSEC))
s3 = _("(no DNSSEC)");
#endif
if (serv->flags & SERV_FOR_NODOTS) if (serv->flags & SERV_FOR_NODOTS)
s1 = _("unqualified"), s2 = _("names"); s1 = _("unqualified"), s2 = _("names");
else if (strlen(serv->domain) == 0) else if (strlen(serv->domain) == 0)