Handle truncated response UDP-to-TCP to downstream queries when validating.

A relatively common situation is that the reply to a downstream query will fit in a UDP packet when no DNSSEC RRs are present, but overflows when the RRSIGS, NSEC ect are added. This extends the automatic move from UDP to TCP to downstream queries which get truncated replies, in the hope that once stripped of the DNSSEC RRs, the reply can be returned via UDP, nwithout making the downstream retry with TCP. If the downstream sets the DO bit, (ie it wants the DNSSEC RRs, then this path is not taken, since the downstream will have to get a truncated repsonse and retry to get a correct answer.
2025-12-19 18:28:25 +00:00 · 2024-10-12 22:25:06 +01:00
parent 1c26ec2876
commit d15d371051
6 changed files with 193 additions and 88 deletions
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -282,7 +282,8 @@ struct event_desc {
 #define OPT_NO_IDENT       70
 #define OPT_CACHE_RR       71
 #define OPT_LOCALHOST_SERVICE  72
-#define OPT_LAST           73
+#define OPT_LOG_PROTO      73
+#define OPT_LAST           74

 #define OPTION_BITS (sizeof(unsigned int)*8)
 #define OPTION_SIZE ( (OPT_LAST/OPTION_BITS)+((OPT_LAST%OPTION_BITS)!=0) )
@@ -747,9 +748,7 @@ struct dyndir {
 #define STAT_SECURE_WILDCARD    0x70000
 #define STAT_OK                 0x80000
 #define STAT_ABANDONED          0x90000
-#define STAT_NEED_DS_QUERY      0xa0000
-#define STAT_NEED_KEY_QUERY     0xb0000
-#define STAT_ASYNC              0xc0000
+#define STAT_ASYNC              0xa0000

 #define DNSSEC_FAIL_NYV         0x0001 /* key not yet valid */
 #define DNSSEC_FAIL_EXP         0x0002 /* key expired */
@@ -1527,11 +1526,12 @@ int option_read_dynfile(char *file, int flags);
 /* forward.c */
 void reply_query(int fd, time_t now);
 void receive_query(struct listener *listen, time_t now);
+void return_reply(time_t now, struct frec *forward, struct dns_header *header, ssize_t n, int status);
 #ifdef HAVE_DNSSEC
 void pop_and_retry_query(struct frec *forward, int status, time_t now);
-int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n, 
-		    int class, char *name, char *keyname, struct server *server, 
-		    int have_mark, unsigned int mark, int *keycount, int *validatecount);
+int tcp_from_udp(time_t now, int status, struct dns_header *header, ssize_t *n, 
+		 int class, char *name, char *keyname, struct server *server, 
+		 int *keycount, int *validatecount);
 #endif
 unsigned char *tcp_request(int confd, time_t now,
 			   union mysockaddr *local_addr, struct in_addr netmask, int auth_dns);
@@ -1654,7 +1654,7 @@ void send_event(int fd, int event, int data, char *msg);
 void clear_cache_and_reload(time_t now);
 #ifdef HAVE_DNSSEC
 int swap_to_tcp(struct frec *forward, time_t now, int status, struct dns_header *header,
-		size_t plen, int class, struct server *server, int *keycount, int *validatecount);
+		ssize_t *plen, int class, struct server *server, int *keycount, int *validatecount);
 #endif

 /* netlink.c */