summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
Diffstat (limited to 'lib')
-rw-r--r--lib/libc/asr/asr.c31
-rw-r--r--lib/libc/asr/asr_debug.c3
-rw-r--r--lib/libc/asr/res_mkquery.c4
-rw-r--r--lib/libc/asr/res_send_async.c23
-rw-r--r--lib/libc/net/res_init.316
5 files changed, 69 insertions, 8 deletions
diff --git a/lib/libc/asr/asr.c b/lib/libc/asr/asr.c
index 8bcb61b6000..7cbf6aab5c9 100644
--- a/lib/libc/asr/asr.c
+++ b/lib/libc/asr/asr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asr.c,v 1.66 2021/11/05 13:08:58 kn Exp $ */
+/* $OpenBSD: asr.c,v 1.67 2021/11/22 20:18:27 jca Exp $ */
/*
* Copyright (c) 2010-2012 Eric Faurot <eric@openbsd.org>
*
@@ -661,7 +661,8 @@ pass0(char **tok, int n, struct asr_ctx *ac)
d = strtonum(tok[i] + 6, 1, 16, &e);
if (e == NULL)
ac->ac_ndots = d;
- }
+ } else if (!strcmp(tok[i], "trust-ad"))
+ ac->ac_options |= RES_TRUSTAD;
}
}
}
@@ -672,7 +673,10 @@ pass0(char **tok, int n, struct asr_ctx *ac)
static int
asr_ctx_from_string(struct asr_ctx *ac, const char *str)
{
- char buf[512], *ch;
+ struct sockaddr_in6 *sin6;
+ struct sockaddr_in *sin;
+ int i, trustad;
+ char buf[512], *ch;
asr_ctx_parse(ac, str);
@@ -702,6 +706,27 @@ asr_ctx_from_string(struct asr_ctx *ac, const char *str)
break;
}
+ trustad = 1;
+ for (i = 0; i < ac->ac_nscount && trustad; i++) {
+ switch (ac->ac_ns[i]->sa_family) {
+ case AF_INET:
+ sin = (struct sockaddr_in *)ac->ac_ns[i];
+ if (sin->sin_addr.s_addr != htonl(INADDR_LOOPBACK))
+ trustad = 0;
+ break;
+ case AF_INET6:
+ sin6 = (struct sockaddr_in6 *)ac->ac_ns[i];
+ if (!IN6_IS_ADDR_LOOPBACK(&sin6->sin6_addr))
+ trustad = 0;
+ break;
+ default:
+ trustad = 0;
+ break;
+ }
+ }
+ if (trustad)
+ ac->ac_options |= RES_TRUSTAD;
+
return (0);
}
diff --git a/lib/libc/asr/asr_debug.c b/lib/libc/asr/asr_debug.c
index f9378d156b7..791a067f72d 100644
--- a/lib/libc/asr/asr_debug.c
+++ b/lib/libc/asr/asr_debug.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asr_debug.c,v 1.27 2021/04/02 07:00:30 eric Exp $ */
+/* $OpenBSD: asr_debug.c,v 1.28 2021/11/22 20:18:27 jca Exp $ */
/*
* Copyright (c) 2012 Eric Faurot <eric@openbsd.org>
*
@@ -286,6 +286,7 @@ _asr_dump_config(FILE *f, struct asr *a)
PRINTOPT(RES_USE_EDNS0, "USE_EDNS0");
PRINTOPT(RES_USE_DNSSEC, "USE_DNSSEC");
PRINTOPT(RES_USE_CD, "USE_CD");
+ PRINTOPT(RES_TRUSTAD, "TRUSTAD");
if (o)
fprintf(f, " 0x%08x", o);
fprintf(f, "\n");
diff --git a/lib/libc/asr/res_mkquery.c b/lib/libc/asr/res_mkquery.c
index c3d5af30f29..3e02dbba908 100644
--- a/lib/libc/asr/res_mkquery.c
+++ b/lib/libc/asr/res_mkquery.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: res_mkquery.c,v 1.13 2019/01/14 06:49:42 otto Exp $ */
+/* $OpenBSD: res_mkquery.c,v 1.14 2021/11/22 20:18:27 jca Exp $ */
/*
* Copyright (c) 2012 Eric Faurot <eric@openbsd.org>
*
@@ -62,6 +62,8 @@ res_mkquery(int op, const char *dname, int class, int type,
h.flags |= RD_MASK;
if (ac->ac_options & RES_USE_CD)
h.flags |= CD_MASK;
+ if (ac->ac_options & RES_TRUSTAD)
+ h.flags |= AD_MASK;
h.qdcount = 1;
if (ac->ac_options & (RES_USE_EDNS0 | RES_USE_DNSSEC))
h.arcount = 1;
diff --git a/lib/libc/asr/res_send_async.c b/lib/libc/asr/res_send_async.c
index c5cc41f56df..a309070efcd 100644
--- a/lib/libc/asr/res_send_async.c
+++ b/lib/libc/asr/res_send_async.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: res_send_async.c,v 1.39 2019/09/28 11:21:07 eric Exp $ */
+/* $OpenBSD: res_send_async.c,v 1.40 2021/11/22 20:18:27 jca Exp $ */
/*
* Copyright (c) 2012 Eric Faurot <eric@openbsd.org>
*
@@ -42,6 +42,7 @@ static int udp_recv(struct asr_query *);
static int tcp_write(struct asr_query *);
static int tcp_read(struct asr_query *);
static int validate_packet(struct asr_query *);
+static void clear_ad(struct asr_result *);
static int setup_query(struct asr_query *, const char *, const char *, int, int);
static int ensure_ibuf(struct asr_query *, size_t);
static int iter_ns(struct asr_query *);
@@ -258,6 +259,8 @@ res_send_async_run(struct asr_query *as, struct asr_result *ar)
as->as.dns.ibuf = NULL;
ar->ar_errno = 0;
ar->ar_rcode = as->as.dns.rcode;
+ if (!(as->as_ctx->ac_options & RES_TRUSTAD))
+ clear_ad(ar);
async_set_state(as, ASR_STATE_HALT);
break;
@@ -378,6 +381,9 @@ setup_query(struct asr_query *as, const char *name, const char *dom,
h.flags |= RD_MASK;
if (as->as_ctx->ac_options & RES_USE_CD)
h.flags |= CD_MASK;
+ if (as->as_ctx->ac_options & RES_TRUSTAD)
+ h.flags |= AD_MASK;
+
h.qdcount = 1;
if (as->as_ctx->ac_options & (RES_USE_EDNS0 | RES_USE_DNSSEC))
h.arcount = 1;
@@ -748,6 +754,21 @@ validate_packet(struct asr_query *as)
}
/*
+ * Clear AD flag in the answer.
+ */
+static void
+clear_ad(struct asr_result *ar)
+{
+ struct asr_dns_header *h;
+ uint16_t flags;
+
+ h = (struct asr_dns_header *)ar->ar_data;
+ flags = ntohs(h->flags);
+ flags &= ~(AD_MASK);
+ h->flags = htons(flags);
+}
+
+/*
* Set the async context nameserver index to the next nameserver, cycling
* over the list until the maximum retry counter is reached. Return 0 on
* success, or -1 if all nameservers were used.
diff --git a/lib/libc/net/res_init.3 b/lib/libc/net/res_init.3
index 4a4d0950a5e..03e6fca7470 100644
--- a/lib/libc/net/res_init.3
+++ b/lib/libc/net/res_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: res_init.3,v 1.4 2020/04/25 21:06:17 jca Exp $
+.\" $OpenBSD: res_init.3,v 1.5 2021/11/22 20:18:27 jca Exp $
.\"
.\" Copyright (c) 1985, 1991, 1993
.\" The Regents of the University of California. All rights reserved.
@@ -27,7 +27,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.Dd $Mdocdate: April 25 2020 $
+.Dd $Mdocdate: November 22 2021 $
.Dt RES_INIT 3
.Os
.Sh NAME
@@ -179,6 +179,18 @@ This option has no effect.
In the past, it turned off the legacy
.Ev HOSTALIASES
feature.
+.It Dv RES_TRUSTAD
+If set, the resolver routines will set the AD flag in DNS queries and
+preserve the value of the AD flag in DNS replies.
+If not set, the resolver routines will clear the AD flag in responses.
+Direct use of this option to enable AD bit processing is discouraged.
+Instead the use of trusted name servers should be annotated with
+.Dq options trust-ad
+in
+.Xr resolv.conf 5 .
+This option is automatically enabled if
+.Xr resolv.conf 5
+only lists name servers on localhost.
.It Dv RES_USE_INET6
With this option
.Xr gethostbyname 3