diff options
Diffstat (limited to 'lib')
-rw-r--r-- | lib/libc/asr/asr.c | 31 | ||||
-rw-r--r-- | lib/libc/asr/asr_debug.c | 3 | ||||
-rw-r--r-- | lib/libc/asr/res_mkquery.c | 4 | ||||
-rw-r--r-- | lib/libc/asr/res_send_async.c | 23 | ||||
-rw-r--r-- | lib/libc/net/res_init.3 | 16 |
5 files changed, 69 insertions, 8 deletions
diff --git a/lib/libc/asr/asr.c b/lib/libc/asr/asr.c index 8bcb61b6000..7cbf6aab5c9 100644 --- a/lib/libc/asr/asr.c +++ b/lib/libc/asr/asr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: asr.c,v 1.66 2021/11/05 13:08:58 kn Exp $ */ +/* $OpenBSD: asr.c,v 1.67 2021/11/22 20:18:27 jca Exp $ */ /* * Copyright (c) 2010-2012 Eric Faurot <eric@openbsd.org> * @@ -661,7 +661,8 @@ pass0(char **tok, int n, struct asr_ctx *ac) d = strtonum(tok[i] + 6, 1, 16, &e); if (e == NULL) ac->ac_ndots = d; - } + } else if (!strcmp(tok[i], "trust-ad")) + ac->ac_options |= RES_TRUSTAD; } } } @@ -672,7 +673,10 @@ pass0(char **tok, int n, struct asr_ctx *ac) static int asr_ctx_from_string(struct asr_ctx *ac, const char *str) { - char buf[512], *ch; + struct sockaddr_in6 *sin6; + struct sockaddr_in *sin; + int i, trustad; + char buf[512], *ch; asr_ctx_parse(ac, str); @@ -702,6 +706,27 @@ asr_ctx_from_string(struct asr_ctx *ac, const char *str) break; } + trustad = 1; + for (i = 0; i < ac->ac_nscount && trustad; i++) { + switch (ac->ac_ns[i]->sa_family) { + case AF_INET: + sin = (struct sockaddr_in *)ac->ac_ns[i]; + if (sin->sin_addr.s_addr != htonl(INADDR_LOOPBACK)) + trustad = 0; + break; + case AF_INET6: + sin6 = (struct sockaddr_in6 *)ac->ac_ns[i]; + if (!IN6_IS_ADDR_LOOPBACK(&sin6->sin6_addr)) + trustad = 0; + break; + default: + trustad = 0; + break; + } + } + if (trustad) + ac->ac_options |= RES_TRUSTAD; + return (0); } diff --git a/lib/libc/asr/asr_debug.c b/lib/libc/asr/asr_debug.c index f9378d156b7..791a067f72d 100644 --- a/lib/libc/asr/asr_debug.c +++ b/lib/libc/asr/asr_debug.c @@ -1,4 +1,4 @@ -/* $OpenBSD: asr_debug.c,v 1.27 2021/04/02 07:00:30 eric Exp $ */ +/* $OpenBSD: asr_debug.c,v 1.28 2021/11/22 20:18:27 jca Exp $ */ /* * Copyright (c) 2012 Eric Faurot <eric@openbsd.org> * @@ -286,6 +286,7 @@ _asr_dump_config(FILE *f, struct asr *a) PRINTOPT(RES_USE_EDNS0, "USE_EDNS0"); PRINTOPT(RES_USE_DNSSEC, "USE_DNSSEC"); PRINTOPT(RES_USE_CD, "USE_CD"); + PRINTOPT(RES_TRUSTAD, "TRUSTAD"); if (o) fprintf(f, " 0x%08x", o); fprintf(f, "\n"); diff --git a/lib/libc/asr/res_mkquery.c b/lib/libc/asr/res_mkquery.c index c3d5af30f29..3e02dbba908 100644 --- a/lib/libc/asr/res_mkquery.c +++ b/lib/libc/asr/res_mkquery.c @@ -1,4 +1,4 @@ -/* $OpenBSD: res_mkquery.c,v 1.13 2019/01/14 06:49:42 otto Exp $ */ +/* $OpenBSD: res_mkquery.c,v 1.14 2021/11/22 20:18:27 jca Exp $ */ /* * Copyright (c) 2012 Eric Faurot <eric@openbsd.org> * @@ -62,6 +62,8 @@ res_mkquery(int op, const char *dname, int class, int type, h.flags |= RD_MASK; if (ac->ac_options & RES_USE_CD) h.flags |= CD_MASK; + if (ac->ac_options & RES_TRUSTAD) + h.flags |= AD_MASK; h.qdcount = 1; if (ac->ac_options & (RES_USE_EDNS0 | RES_USE_DNSSEC)) h.arcount = 1; diff --git a/lib/libc/asr/res_send_async.c b/lib/libc/asr/res_send_async.c index c5cc41f56df..a309070efcd 100644 --- a/lib/libc/asr/res_send_async.c +++ b/lib/libc/asr/res_send_async.c @@ -1,4 +1,4 @@ -/* $OpenBSD: res_send_async.c,v 1.39 2019/09/28 11:21:07 eric Exp $ */ +/* $OpenBSD: res_send_async.c,v 1.40 2021/11/22 20:18:27 jca Exp $ */ /* * Copyright (c) 2012 Eric Faurot <eric@openbsd.org> * @@ -42,6 +42,7 @@ static int udp_recv(struct asr_query *); static int tcp_write(struct asr_query *); static int tcp_read(struct asr_query *); static int validate_packet(struct asr_query *); +static void clear_ad(struct asr_result *); static int setup_query(struct asr_query *, const char *, const char *, int, int); static int ensure_ibuf(struct asr_query *, size_t); static int iter_ns(struct asr_query *); @@ -258,6 +259,8 @@ res_send_async_run(struct asr_query *as, struct asr_result *ar) as->as.dns.ibuf = NULL; ar->ar_errno = 0; ar->ar_rcode = as->as.dns.rcode; + if (!(as->as_ctx->ac_options & RES_TRUSTAD)) + clear_ad(ar); async_set_state(as, ASR_STATE_HALT); break; @@ -378,6 +381,9 @@ setup_query(struct asr_query *as, const char *name, const char *dom, h.flags |= RD_MASK; if (as->as_ctx->ac_options & RES_USE_CD) h.flags |= CD_MASK; + if (as->as_ctx->ac_options & RES_TRUSTAD) + h.flags |= AD_MASK; + h.qdcount = 1; if (as->as_ctx->ac_options & (RES_USE_EDNS0 | RES_USE_DNSSEC)) h.arcount = 1; @@ -748,6 +754,21 @@ validate_packet(struct asr_query *as) } /* + * Clear AD flag in the answer. + */ +static void +clear_ad(struct asr_result *ar) +{ + struct asr_dns_header *h; + uint16_t flags; + + h = (struct asr_dns_header *)ar->ar_data; + flags = ntohs(h->flags); + flags &= ~(AD_MASK); + h->flags = htons(flags); +} + +/* * Set the async context nameserver index to the next nameserver, cycling * over the list until the maximum retry counter is reached. Return 0 on * success, or -1 if all nameservers were used. diff --git a/lib/libc/net/res_init.3 b/lib/libc/net/res_init.3 index 4a4d0950a5e..03e6fca7470 100644 --- a/lib/libc/net/res_init.3 +++ b/lib/libc/net/res_init.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: res_init.3,v 1.4 2020/04/25 21:06:17 jca Exp $ +.\" $OpenBSD: res_init.3,v 1.5 2021/11/22 20:18:27 jca Exp $ .\" .\" Copyright (c) 1985, 1991, 1993 .\" The Regents of the University of California. All rights reserved. @@ -27,7 +27,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd $Mdocdate: April 25 2020 $ +.Dd $Mdocdate: November 22 2021 $ .Dt RES_INIT 3 .Os .Sh NAME @@ -179,6 +179,18 @@ This option has no effect. In the past, it turned off the legacy .Ev HOSTALIASES feature. +.It Dv RES_TRUSTAD +If set, the resolver routines will set the AD flag in DNS queries and +preserve the value of the AD flag in DNS replies. +If not set, the resolver routines will clear the AD flag in responses. +Direct use of this option to enable AD bit processing is discouraged. +Instead the use of trusted name servers should be annotated with +.Dq options trust-ad +in +.Xr resolv.conf 5 . +This option is automatically enabled if +.Xr resolv.conf 5 +only lists name servers on localhost. .It Dv RES_USE_INET6 With this option .Xr gethostbyname 3 |