From 5b3bf921013e41087bbd6b906974ab628ab59639 Mon Sep 17 00:00:00 2001 From: Simon Kelley Date: Sat, 25 Jan 2014 17:03:07 +0000 Subject: [PATCH] --dnssec-debug --- src/dnsmasq.h | 3 ++- src/dnssec.c | 4 +++- src/forward.c | 5 ++++- src/option.c | 3 +++ src/rfc1035.c | 5 +++-- 5 files changed, 15 insertions(+), 5 deletions(-) diff --git a/src/dnsmasq.h b/src/dnsmasq.h index 8213dde..f919222 100644 --- a/src/dnsmasq.h +++ b/src/dnsmasq.h @@ -231,7 +231,8 @@ struct event_desc { #define OPT_QUIET_RA 44 #define OPT_DNSSEC_VALID 45 #define OPT_DNSSEC_PERMISS 46 -#define OPT_LAST 47 +#define OPT_DNSSEC_DEBUG 47 +#define OPT_LAST 48 /* extra flags for my_syslog, we use a couple of facilities since they are known not to occupy the same bits as priorities, no matter how syslog.h is set up. */ diff --git a/src/dnssec.c b/src/dnssec.c index 4caea9a..7a77636 100644 --- a/src/dnssec.c +++ b/src/dnssec.c @@ -1351,7 +1351,9 @@ size_t dnssec_generate_query(struct dns_header *header, char *end, char *name, i header->hb3 = HB3_RD; SET_OPCODE(header, QUERY); - header->hb4 = HB4_CD; + /* For debugging, set Checking Disabled, otherwise, have the upstream check too, + this allows it to select auth servers when one is returning bad data. */ + header->hb4 = option_bool(OPT_DNSSEC_DEBUG) ? HB4_CD : 0; /* ID filled in later */ diff --git a/src/forward.c b/src/forward.c index 7af6f1f..6ac71e6 100644 --- a/src/forward.c +++ b/src/forward.c @@ -386,7 +386,10 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr, if (option_bool(OPT_DNSSEC_VALID)) { plen = add_do_bit(header, plen, ((char *) header) + daemon->packet_buff_sz); - header->hb4 |= HB4_CD; + /* For debugging, set Checking Disabled, otherwise, have the upstream check too, + this allows it to select auth servers when one is returning bad data. */ + if (option_bool(OPT_DNSSEC_DEBUG)) + header->hb4 |= HB4_CD; } #endif diff --git a/src/option.c b/src/option.c index 760fd62..88a569d 100644 --- a/src/option.c +++ b/src/option.c @@ -141,6 +141,7 @@ struct myoption { #define LOPT_SEC_VALID 329 #define LOPT_DNSKEY 330 #define LOPT_DNSSEC_PERM 331 +#define LOPT_DNSSEC_DEBUG 332 #ifdef HAVE_GETOPT_LONG static const struct option opts[] = @@ -279,6 +280,7 @@ static const struct myoption opts[] = { "dnssec", 0, 0, LOPT_SEC_VALID }, { "dnskey", 1, 0, LOPT_DNSKEY }, { "dnssec-permissive", 0, 0, LOPT_DNSSEC_PERM }, + { "dnssec-debug", 0, 0, LOPT_DNSSEC_DEBUG }, #ifdef OPTION6_PREFIX_CLASS { "dhcp-prefix-class", 1, 0, LOPT_PREF_CLSS }, #endif @@ -432,6 +434,7 @@ static struct { { LOPT_SEC_VALID, OPT_DNSSEC_VALID, NULL, gettext_noop("Activate DNSSEC validation"), NULL }, { LOPT_DNSKEY, ARG_DUP, ",,", gettext_noop("Specify trust anchor DNSKEY"), NULL }, { LOPT_DNSSEC_PERM, OPT_DNSSEC_PERMISS, NULL, gettext_noop("Do NOT return SERVFAIL whne DNSSEC validation fails."), NULL }, + { LOPT_DNSSEC_DEBUG, OPT_DNSSEC_DEBUG, NULL, gettext_noop("Disable upstream checking for DNSSEC debugging."), NULL }, #ifdef OPTION6_PREFIX_CLASS { LOPT_PREF_CLSS, ARG_DUP, "set:tag,", gettext_noop("Specify DHCPv6 prefix class"), NULL }, #endif diff --git a/src/rfc1035.c b/src/rfc1035.c index ec2c7a9..429acbe 100644 --- a/src/rfc1035.c +++ b/src/rfc1035.c @@ -1737,8 +1737,8 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, /* Need to re-run original cache search */ crecp = gotsig ? cache_find_by_addr(NULL, &addr, now, is_arpa) : NULL; } - } #endif + } if (crecp) { @@ -1957,8 +1957,9 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, /* Need to re-run original cache search */ crecp = gotsig ? cache_find_by_name(NULL, name, now, flag | F_CNAME) : NULL; } - } #endif + } + if (crecp) do {