From b43585c34baf0c5eb478aa07423da534b2118536 Mon Sep 17 00:00:00 2001 From: Simon Kelley Date: Sat, 28 Mar 2020 17:41:06 +0000 Subject: [PATCH] Fix nameserver list in auth mode. If dnsmasq is not acting as an authoritative nameserver (no second argument to --auth-server) then it should not appear in the NS RRset. This leaves simply the list of servers specified in --auth-sec-servers. --- man/dnsmasq.8 | 2 +- src/auth.c | 22 +++++++++++++--------- 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 index 2032a37..8ce0e68 100644 --- a/man/dnsmasq.8 +++ b/man/dnsmasq.8 @@ -244,7 +244,7 @@ specified interface. The is the "glue record". It should resolve in the global DNS to an A and/or AAAA record which points to the address dnsmasq is listening on. When an interface is specified, it may be qualified with "/4" or "/6" to specify only the IPv4 or IPv6 -addresses associated with the interface. Since any defined authoritative zones are also available as part of the normal recusive DNS service supplied by dnsmasq, it can make sense to have an --auth-server declaration with no interfaces or address, but simply specifying the glue record. +addresses associated with the interface. Since any defined authoritative zones are also available as part of the normal recusive DNS service supplied by dnsmasq, it can make sense to have an --auth-server declaration with no interfaces or address, but simply specifying the primary external nameserver. .TP .B --local-service Accept DNS queries only from hosts whose address is on a local subnet, diff --git a/src/auth.c b/src/auth.c index 4daae30..b2fcd4b 100644 --- a/src/auth.c +++ b/src/auth.c @@ -628,16 +628,20 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n { struct name_list *secondary; - newoffset = ansp - (unsigned char *)header; - if (add_resource_record(header, limit, &trunc, -offset, &ansp, - daemon->auth_ttl, NULL, T_NS, C_IN, "d", offset == 0 ? authname : NULL, daemon->authserver)) + /* Only include the machine running dnsmasq if it's acting as an auth server */ + if (daemon->authinterface) { - if (offset == 0) - offset = newoffset; - if (ns) - anscount++; - else - authcount++; + newoffset = ansp - (unsigned char *)header; + if (add_resource_record(header, limit, &trunc, -offset, &ansp, + daemon->auth_ttl, NULL, T_NS, C_IN, "d", offset == 0 ? authname : NULL, daemon->authserver)) + { + if (offset == 0) + offset = newoffset; + if (ns) + anscount++; + else + authcount++; + } } if (!subnet)