--dnssec-debug

2025-12-19 18:28:25 +00:00 · 2014-01-25 17:03:07 +00:00
parent 0744ca66ad
commit 5b3bf92101
5 changed files with 15 additions and 5 deletions
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -231,7 +231,8 @@ struct event_desc {
 #define OPT_QUIET_RA	   44
 #define OPT_DNSSEC_VALID   45
 #define OPT_DNSSEC_PERMISS 46
-#define OPT_LAST           47
+#define OPT_DNSSEC_DEBUG   47
+#define OPT_LAST           48

 /* extra flags for my_syslog, we use a couple of facilities since they are known 
   not to occupy the same bits as priorities, no matter how syslog.h is set up. */
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -1351,7 +1351,9 @@ size_t dnssec_generate_query(struct dns_header *header, char *end, char *name, i

  header->hb3 = HB3_RD; 
  SET_OPCODE(header, QUERY);
-  header->hb4 = HB4_CD;
+  /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
+     this allows it to select auth servers when one is returning bad data. */
+  header->hb4 = option_bool(OPT_DNSSEC_DEBUG) ? HB4_CD : 0;

  /* ID filled in later */

--- a/src/forward.c
+++ b/src/forward.c
@@ -386,6 +386,9 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
      if (option_bool(OPT_DNSSEC_VALID))
 	{
 	  plen = add_do_bit(header, plen, ((char *) header) + daemon->packet_buff_sz);
+	  /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
+	     this allows it to select auth servers when one is returning bad data. */
+	  if (option_bool(OPT_DNSSEC_DEBUG))
 	    header->hb4 |= HB4_CD;
 	}
 #endif
--- a/src/option.c
+++ b/src/option.c
@@ -141,6 +141,7 @@ struct myoption {
 #define LOPT_SEC_VALID    329
 #define LOPT_DNSKEY       330
 #define LOPT_DNSSEC_PERM  331
+#define LOPT_DNSSEC_DEBUG 332

 #ifdef HAVE_GETOPT_LONG
 static const struct option opts[] =  
@@ -279,6 +280,7 @@ static const struct myoption opts[] =
    { "dnssec", 0, 0, LOPT_SEC_VALID },
    { "dnskey", 1, 0, LOPT_DNSKEY },
    { "dnssec-permissive", 0, 0, LOPT_DNSSEC_PERM },
+    { "dnssec-debug", 0, 0, LOPT_DNSSEC_DEBUG },
 #ifdef OPTION6_PREFIX_CLASS 
    { "dhcp-prefix-class", 1, 0, LOPT_PREF_CLSS },
 #endif
@@ -432,6 +434,7 @@ static struct {
  { LOPT_SEC_VALID, OPT_DNSSEC_VALID, NULL, gettext_noop("Activate DNSSEC validation"), NULL },
  { LOPT_DNSKEY, ARG_DUP, "<domain>,<algo>,<key>", gettext_noop("Specify trust anchor DNSKEY"), NULL },
  { LOPT_DNSSEC_PERM, OPT_DNSSEC_PERMISS, NULL, gettext_noop("Do NOT return SERVFAIL whne DNSSEC validation fails."), NULL },
+  { LOPT_DNSSEC_DEBUG, OPT_DNSSEC_DEBUG, NULL, gettext_noop("Disable upstream checking for DNSSEC debugging."), NULL },
 #ifdef OPTION6_PREFIX_CLASS 
  { LOPT_PREF_CLSS, ARG_DUP, "set:tag,<class>", gettext_noop("Specify DHCPv6 prefix class"), NULL },
 #endif
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -1737,8 +1737,8 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 			  /* Need to re-run original cache search */
 			  crecp = gotsig ? cache_find_by_addr(NULL, &addr, now, is_arpa) : NULL;
 			}
-		    }
 #endif
+		    }

 		  if (crecp)
 		    {
@@ -1957,8 +1957,9 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 			  /* Need to re-run original cache search */
 			  crecp = gotsig ? cache_find_by_name(NULL, name, now, flag | F_CNAME) : NULL;
 			}
-		    }		 
 #endif
+		    }		 
+
 		  if (crecp)
 		    do
 		      {