Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 10:18:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Return EDE OTHER error when DNSSEC validation abandoned.

Browse Source 
This distinguishes the case where we found a message was bogus
from cases where the process failed.
This commit is contained in:
Simon Kelley
2025-01-12 16:00:09 +00:00
parent f162d344c0
commit b58276a73c
2 changed files with 14 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/config.h
View File

@@ -18,7 +18,7 @@
#define MAX_PROCS 20 /* default max no children for TCP requests */
#define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */
#define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */
#define TCP_TIMEOUT 5 /* timeout waiting to connect to an upstream server - double this for answer */
#define TCP_TIMEOUT 1 /* timeout waiting to connect to an upstream server - double this for answer */
#define TCP_BACKLOG 32 /* kernel backlog limit for TCP connections */
#define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from /dnsflagday.net/2020 */
#define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */

16
src/forward.c
View File

@@ -780,7 +780,6 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
header->ancount = htons(0);
header->nscount = htons(0);
header->arcount = htons(0);
ede = EDE_DNSSEC_BOGUS;
}
}
else if (!(header->hb4 & HB4_CD) && ad_reqd && cache_secure)
@@ -1244,20 +1243,25 @@ void return_reply(time_t now, struct frec *forward, struct dns_header *header, s
char *result, *domain = "result";
union all_addr a;
a.log.ede = ede = errflags_to_ede(status);
ede = errflags_to_ede(status);
if (STAT_ISEQUAL(status, STAT_ABANDONED))
{
result = "ABANDONED";
status = STAT_BOGUS;
if (ede == EDE_UNSET)
ede = EDE_OTHER;
}
else
result = (STAT_ISEQUAL(status, STAT_SECURE) ? "SECURE" : (STAT_ISEQUAL(status, STAT_INSECURE) ? "INSECURE" : "BOGUS"));
if (STAT_ISEQUAL(status, STAT_SECURE))
cache_secure = 1;
else if (STAT_ISEQUAL(status, STAT_BOGUS))
{
if (ede == EDE_UNSET)
ede = EDE_DNSSEC_BOGUS;
no_cache_dnssec = 1;
bogusanswer = 1;
@@ -1265,6 +1269,7 @@ void return_reply(time_t now, struct frec *forward, struct dns_header *header, s
domain = daemon->namebuff;
}
a.log.ede = ede;
log_query(F_SECSTAT, domain, &a, result, 0);
}
}
@@ -2457,12 +2462,14 @@ unsigned char *tcp_request(int confd, time_t now,
char *result, *domain = "result";
union all_addr a;
a.log.ede = ede = errflags_to_ede(status);
ede = errflags_to_ede(status);
if (STAT_ISEQUAL(status, STAT_ABANDONED))
{
result = "ABANDONED";
status = STAT_BOGUS;
if (ede == EDE_UNSET)
ede = EDE_OTHER;
}
else
result = (STAT_ISEQUAL(status, STAT_SECURE) ? "SECURE" : (STAT_ISEQUAL(status, STAT_INSECURE) ? "INSECURE" : "BOGUS"));
@@ -2471,6 +2478,8 @@ unsigned char *tcp_request(int confd, time_t now,
cache_secure = 1;
else if (STAT_ISEQUAL(status, STAT_BOGUS))
{
if (ede == EDE_UNSET)
ede = EDE_DNSSEC_BOGUS;
no_cache_dnssec = 1;
bogusanswer = 1;
@@ -2478,6 +2487,7 @@ unsigned char *tcp_request(int confd, time_t now,
domain = daemon->namebuff;
}
a.log.ede = ede;
log_query(F_SECSTAT, domain, &a, result, 0);
if ((daemon->limit[LIMIT_CRYPTO] - validatecount) > (int)daemon->metrics[METRIC_CRYPTO_HWM])