diff options
| author | Jeremie Courreges-Anglas <jca@cvs.openbsd.org> | 2017-02-27 11:38:09 +0000 |
|---|---|---|
| committer | Jeremie Courreges-Anglas <jca@cvs.openbsd.org> | 2017-02-27 11:38:09 +0000 |
| commit | f088c9c75a9b3f132918d677b8b52eabe493e633 (patch) | |
| tree | 3a1320c26692624d06130309bc011c5892759cd8 | |
| parent | 9edc258191f4552fdf21290b3257df0602093054 (diff) | |
Add support for RES_USE_DNSSEC
RES_USE_DNSSEC is implemented by setting the DNSSEC DO bit in outgoing
queries. The resolver is then supposed to set the AD bit in the reply
if it managed to validate the answer through DNSSEC. Useful when the
application doesn't implement validation internally. This scheme
assumes that the validating resolver is trusted and that the
communication channel between the validating resolver and and the client
is secure.
ok eric@ gilles@
| -rw-r--r-- | lib/libc/asr/asr_private.h | 4 | ||||
| -rw-r--r-- | lib/libc/asr/asr_utils.c | 13 | ||||
| -rw-r--r-- | lib/libc/asr/res_mkquery.c | 9 | ||||
| -rw-r--r-- | lib/libc/asr/res_send_async.c | 9 | ||||
| -rw-r--r-- | lib/libc/net/resolver.3 | 7 |
5 files changed, 24 insertions, 18 deletions
diff --git a/lib/libc/asr/asr_private.h b/lib/libc/asr/asr_private.h index 80baf031890..e922017df24 100644 --- a/lib/libc/asr/asr_private.h +++ b/lib/libc/asr/asr_private.h @@ -1,4 +1,4 @@ -/* $OpenBSD: asr_private.h,v 1.45 2017/02/27 11:31:01 jca Exp $ */ +/* $OpenBSD: asr_private.h,v 1.46 2017/02/27 11:38:08 jca Exp $ */ /* * Copyright (c) 2012 Eric Faurot <eric@openbsd.org> * @@ -297,7 +297,7 @@ __BEGIN_HIDDEN_DECLS void _asr_pack_init(struct asr_pack *, char *, size_t); int _asr_pack_header(struct asr_pack *, const struct asr_dns_header *); int _asr_pack_query(struct asr_pack *, uint16_t, uint16_t, const char *); -int _asr_pack_edns0(struct asr_pack *, uint16_t); +int _asr_pack_edns0(struct asr_pack *, uint16_t, int); void _asr_unpack_init(struct asr_unpack *, const char *, size_t); int _asr_unpack_header(struct asr_unpack *, struct asr_dns_header *); int _asr_unpack_query(struct asr_unpack *, struct asr_dns_query *); diff --git a/lib/libc/asr/asr_utils.c b/lib/libc/asr/asr_utils.c index 25d9f2da389..f700973ce2f 100644 --- a/lib/libc/asr/asr_utils.c +++ b/lib/libc/asr/asr_utils.c @@ -1,4 +1,4 @@ -/* $OpenBSD: asr_utils.c,v 1.16 2017/02/19 12:02:30 jca Exp $ */ +/* $OpenBSD: asr_utils.c,v 1.17 2017/02/27 11:38:08 jca Exp $ */ /* * Copyright (c) 2009-2012 Eric Faurot <eric@faurot.net> * @@ -423,12 +423,19 @@ _asr_pack_query(struct asr_pack *p, uint16_t type, uint16_t class, const char *d } int -_asr_pack_edns0(struct asr_pack *p, uint16_t pktsz) +_asr_pack_edns0(struct asr_pack *p, uint16_t pktsz, int dnssec_do) { + DPRINT("asr EDNS0 pktsz:%hu dnssec:%s\n", pktsz, + dnssec_do ? "yes" : "no"); + pack_dname(p, ""); /* root */ pack_u16(p, T_OPT); /* OPT */ pack_u16(p, pktsz); /* UDP payload size */ - pack_u32(p, 0); /* extended RCODE and flags */ + + /* extended RCODE and flags */ + pack_u16(p, 0); + pack_u16(p, dnssec_do ? DNS_MESSAGEEXTFLAG_DO : 0); + pack_u16(p, 0); /* RDATA len */ return (p->err) ? (-1) : (0); diff --git a/lib/libc/asr/res_mkquery.c b/lib/libc/asr/res_mkquery.c index 340c1f11f74..d6800877279 100644 --- a/lib/libc/asr/res_mkquery.c +++ b/lib/libc/asr/res_mkquery.c @@ -1,4 +1,4 @@ -/* $OpenBSD: res_mkquery.c,v 1.10 2017/02/18 19:23:05 jca Exp $ */ +/* $OpenBSD: res_mkquery.c,v 1.11 2017/02/27 11:38:08 jca Exp $ */ /* * Copyright (c) 2012 Eric Faurot <eric@openbsd.org> * @@ -61,14 +61,15 @@ res_mkquery(int op, const char *dname, int class, int type, if (ac->ac_options & RES_RECURSE) h.flags |= RD_MASK; h.qdcount = 1; - if (ac->ac_options & RES_USE_EDNS0) + if (ac->ac_options & (RES_USE_EDNS0 | RES_USE_DNSSEC)) h.arcount = 1; _asr_pack_init(&p, buf, buflen); _asr_pack_header(&p, &h); _asr_pack_query(&p, type, class, dn); - if (ac->ac_options & RES_USE_EDNS0) - _asr_pack_edns0(&p, MAXPACKETSZ); + if (ac->ac_options & (RES_USE_EDNS0 | RES_USE_DNSSEC)) + _asr_pack_edns0(&p, MAXPACKETSZ, + ac->ac_options & RES_USE_DNSSEC); _asr_ctx_unref(ac); diff --git a/lib/libc/asr/res_send_async.c b/lib/libc/asr/res_send_async.c index 931c8a495d3..3d4fa1a2277 100644 --- a/lib/libc/asr/res_send_async.c +++ b/lib/libc/asr/res_send_async.c @@ -1,4 +1,4 @@ -/* $OpenBSD: res_send_async.c,v 1.33 2017/02/27 10:44:46 jca Exp $ */ +/* $OpenBSD: res_send_async.c,v 1.34 2017/02/27 11:38:08 jca Exp $ */ /* * Copyright (c) 2012 Eric Faurot <eric@openbsd.org> * @@ -377,14 +377,15 @@ setup_query(struct asr_query *as, const char *name, const char *dom, if (as->as_ctx->ac_options & RES_RECURSE) h.flags |= RD_MASK; h.qdcount = 1; - if (as->as_ctx->ac_options & RES_USE_EDNS0) + if (as->as_ctx->ac_options & (RES_USE_EDNS0 | RES_USE_DNSSEC)) h.arcount = 1; _asr_pack_init(&p, as->as.dns.obuf, as->as.dns.obufsize); _asr_pack_header(&p, &h); _asr_pack_query(&p, type, class, dname); - if (as->as_ctx->ac_options & RES_USE_EDNS0) - _asr_pack_edns0(&p, MAXPACKETSZ); + if (as->as_ctx->ac_options & (RES_USE_EDNS0 | RES_USE_DNSSEC)) + _asr_pack_edns0(&p, MAXPACKETSZ, + as->as_ctx->ac_options & RES_USE_DNSSEC); if (p.err) { DPRINT("error packing query"); errno = EINVAL; diff --git a/lib/libc/net/resolver.3 b/lib/libc/net/resolver.3 index 68e509f4f0d..e371f7851c3 100644 --- a/lib/libc/net/resolver.3 +++ b/lib/libc/net/resolver.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: resolver.3,v 1.36 2017/02/18 19:23:05 jca Exp $ +.\" $OpenBSD: resolver.3,v 1.37 2017/02/27 11:38:08 jca Exp $ .\" .\" Copyright (c) 1985, 1991, 1993 .\" The Regents of the University of California. All rights reserved. @@ -27,7 +27,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd $Mdocdate: February 18 2017 $ +.Dd $Mdocdate: February 27 2017 $ .Dt RES_INIT 3 .Os .Sh NAME @@ -199,9 +199,6 @@ uses 4096 bytes as input buffer size. Request that the resolver uses Domain Name System Security Extensions (DNSSEC), as defined in RFCs 4033, 4034, and 4035. -On -.Ox -this option does nothing. .El .Pp The |