From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthias Fischer To: development@lists.ipfire.org Subject: [PATCH] dnsmasq 2.75: latest upstream patches Date: Wed, 16 Dec 2015 21:42:41 +0100 Message-ID: <1450298561-14931-1-git-send-email-matthias.fischer@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7960740162511005029==" List-Id: --===============7960740162511005029== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Since 'Makefile' was affected, I had to rewrite 'dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch', too. Signed-off-by: Matthias Fischer --- lfs/dnsmasq | 5 + ...q-Add-support-to-read-ISC-DHCP-lease-file.patch | 83 +- ...ajor_rationalisation_of_DNSSEC_validation.patch | 2209 ++++++++++++++++++= ++ ...hing_RRSIGs_and_returning_them_from_cache.patch | 612 ++++++ ...caches_DS_records_to_a_more_logical_place.patch | 269 +++ ...lise_RR-filtering_code_for_use_with_EDNS0.patch | 755 +++++++ .../dnsmasq/020-DNSSEC_validation_tweak.patch | 134 ++ 7 files changed, 4017 insertions(+), 50 deletions(-) create mode 100644 src/patches/dnsmasq/016-Major_rationalisation_of_DNSSEC_v= alidation.patch create mode 100644 src/patches/dnsmasq/017-Abandon_caching_RRSIGs_and_return= ing_them_from_cache.patch create mode 100644 src/patches/dnsmasq/018-Move_code_which_caches_DS_records= _to_a_more_logical_place.patch create mode 100644 src/patches/dnsmasq/019-Generalise_RR-filtering_code_for_= use_with_EDNS0.patch create mode 100644 src/patches/dnsmasq/020-DNSSEC_validation_tweak.patch diff --git a/lfs/dnsmasq b/lfs/dnsmasq index d166392..eeb7e03 100644 --- a/lfs/dnsmasq +++ b/lfs/dnsmasq @@ -88,6 +88,11 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/013-Fix_crash= _when_empty_address_from_DNS_overlays_A_record_from.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/014-Handle_un= known_DS_hash_algos_correctly.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/015-Fix_crash= _at_start_up_with_conf-dir.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/016-Major_rat= ionalisation_of_DNSSEC_validation.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/017-Abandon_c= aching_RRSIGs_and_returning_them_from_cache.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/018-Move_code= _which_caches_DS_records_to_a_more_logical_place.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/019-Generalis= e_RR-filtering_code_for_use_with_EDNS0.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/020-DNSSEC_va= lidation_tweak.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-t= o-read-ISC-DHCP-lease-file.patch =20 cd $(DIR_APP) && sed -i src/config.h \ diff --git a/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patc= h b/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch index 0482c4b..f55ebe8 100644 --- a/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch +++ b/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch @@ -1,21 +1,5 @@ -diff --git a/Makefile b/Makefile -index 4c87ea9..4e0ea10 100644 ---- a/Makefile -+++ b/Makefile -@@ -73,7 +73,8 @@ objs =3D cache.o rfc1035.o util.o option.o forward.o netwo= rk.o \ - dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \ - helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ - dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \ -- domain.o dnssec.o blockdata.o tables.o loop.o inotify.o poll.o -+ domain.o dnssec.o blockdata.o tables.o loop.o inotify.o poll.o \ -+ isc.o -=20 - hdrs =3D dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \ - dns-protocol.h radv-protocol.h ip6addr.h -diff --git a/src/cache.c b/src/cache.c -index 178d654..6d0b131 100644 ---- a/src/cache.c -+++ b/src/cache.c +--- a/src/cache.c Wed Dec 16 19:24:12 2015 ++++ b/src/cache.c Wed Dec 16 19:37:37 2015 @@ -17,7 +17,7 @@ #include "dnsmasq.h" =20 @@ -25,7 +9,7 @@ index 178d654..6d0b131 100644 static struct crec *dhcp_spare =3D NULL; #endif static struct crec *new_chain =3D NULL; -@@ -222,6 +222,9 @@ static void cache_free(struct crec *crecp) +@@ -217,6 +217,9 @@ crecp->flags &=3D ~F_BIGNAME; } =20 @@ -35,7 +19,7 @@ index 178d654..6d0b131 100644 #ifdef HAVE_DNSSEC cache_blockdata_free(crecp); #endif -@@ -1151,7 +1154,7 @@ void cache_reload(void) +@@ -1131,7 +1134,7 @@ =20 }=20 =20 @@ -44,16 +28,7 @@ index 178d654..6d0b131 100644 struct in_addr a_record_from_hosts(char *name, time_t now) { struct crec *crecp =3D NULL; -@@ -1229,7 +1232,7 @@ void cache_add_dhcp_entry(char *host_name, int prot, - addrlen =3D sizeof(struct in6_addr); - } - #endif -- =20 -+ - inet_ntop(prot, host_address, daemon->addrbuff, ADDRSTRLEN); - =20 - while ((crec =3D cache_find_by_name(crec, host_name, 0, flags | F_CNAME))) -@@ -1294,7 +1297,11 @@ void cache_add_dhcp_entry(char *host_name, int prot, +@@ -1274,7 +1277,11 @@ else crec->ttd =3D ttd; crec->addr.addr =3D *host_address; @@ -65,11 +40,9 @@ index 178d654..6d0b131 100644 crec->uid =3D next_uid(); cache_hash(crec); =20 -diff --git a/src/dnsmasq.c b/src/dnsmasq.c -index 81254f6..ce2d1a7 100644 ---- a/src/dnsmasq.c -+++ b/src/dnsmasq.c -@@ -982,6 +982,11 @@ int main (int argc, char **argv) +--- a/src/dnsmasq.c Thu Jul 30 20:59:06 2015 ++++ b/src/dnsmasq.c Wed Dec 16 19:38:32 2015 +@@ -982,6 +982,11 @@ =20 poll_resolv(0, daemon->last_resolv !=3D 0, now); =20 daemon->last_resolv =3D now; @@ -81,11 +54,9 @@ index 81254f6..ce2d1a7 100644 } #endif =20 -diff --git a/src/dnsmasq.h b/src/dnsmasq.h -index cf1a782..30437aa 100644 ---- a/src/dnsmasq.h -+++ b/src/dnsmasq.h -@@ -1519,3 +1519,7 @@ int poll_check(int fd, short event); +--- a/src/dnsmasq.h Wed Dec 16 19:24:12 2015 ++++ b/src/dnsmasq.h Wed Dec 16 19:40:11 2015 +@@ -1513,8 +1513,12 @@ void poll_listen(int fd, short event); int do_poll(int timeout); =20 @@ -93,11 +64,14 @@ index cf1a782..30437aa 100644 +#ifdef HAVE_ISC_READER +void load_dhcp(time_t now); +#endif -diff --git a/src/isc.c b/src/isc.c -new file mode 100644 -index 0000000..5106442 ---- /dev/null -+++ b/src/isc.c ++ + /* rrfilter.c */ + size_t rrfilter(struct dns_header *header, size_t plen, int mode); + u16 *rrfilter_desc(int type); + int expand_workspace(unsigned char ***wkspc, int *szp, int new); +- +--- /dev/null Wed Dec 16 19:48:08 2015 ++++ b/src/isc.c Wed Dec 16 19:41:35 2015 @@ -0,0 +1,251 @@ +/* dnsmasq is Copyright (c) 2014 John Volpe, Simon Kelley and + Michael Tremer @@ -350,11 +324,9 @@ index 0000000..5106442 +} + +#endif -diff --git a/src/option.c b/src/option.c -index ecc2619..527c5aa 100644 ---- a/src/option.c -+++ b/src/option.c -@@ -1699,7 +1699,7 @@ static int one_opt(int option, char *arg, char *errstr= , char *gen_err, int comma +--- a/src/option.c Wed Dec 16 19:24:12 2015 ++++ b/src/option.c Wed Dec 16 19:42:48 2015 +@@ -1754,7 +1754,7 @@ ret_err(_("bad MX target")); break; =20 @@ -363,3 +335,14 @@ index ecc2619..527c5aa 100644 case 'l': /* --dhcp-leasefile */ daemon->lease_file =3D opt_string_alloc(arg); break; +--- a/Makefile Wed Dec 16 19:24:12 2015 ++++ b/Makefile Wed Dec 16 19:28:45 2015 +@@ -74,7 +74,7 @@ + helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ + dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \ + domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \ +- poll.o rrfilter.o ++ poll.o rrfilter.o isc.o +=20 + hdrs =3D dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \ + dns-protocol.h radv-protocol.h ip6addr.h diff --git a/src/patches/dnsmasq/016-Major_rationalisation_of_DNSSEC_validati= on.patch b/src/patches/dnsmasq/016-Major_rationalisation_of_DNSSEC_validation= .patch new file mode 100644 index 0000000..7f25066 --- /dev/null +++ b/src/patches/dnsmasq/016-Major_rationalisation_of_DNSSEC_validation.patch @@ -0,0 +1,2209 @@ +From 9a31b68b59adcac01016d4026d906b69c4216c01 Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Tue, 15 Dec 2015 10:20:39 +0000 +Subject: [PATCH] Major rationalisation of DNSSEC validation. + +Much gnarly special-case code removed and replaced with correct +general implementaion. Checking of zone-status moved to DNSSEC code, +where it should be, vastly simplifying query-forwarding code. +--- + src/dnsmasq.h | 19 +- + src/dnssec.c | 926 ++++++++++++++++++++++++++++++------------------------= --- + src/forward.c | 741 ++++++++++----------------------------------- + 3 files changed, 653 insertions(+), 1033 deletions(-) + +diff --git a/src/dnsmasq.h b/src/dnsmasq.h +index f42acdb..023a1cf 100644 +--- a/src/dnsmasq.h ++++ b/src/dnsmasq.h +@@ -586,12 +586,8 @@ struct hostsfile { + #define STAT_NEED_KEY 5 + #define STAT_TRUNCATED 6 + #define STAT_SECURE_WILDCARD 7 +-#define STAT_NO_SIG 8 +-#define STAT_NO_DS 9 +-#define STAT_NO_NS 10 +-#define STAT_NEED_DS_NEG 11 +-#define STAT_CHASE_CNAME 12 +-#define STAT_INSECURE_DS 13 ++#define STAT_OK 8 ++#define STAT_ABANDONED 9 +=20 + #define FREC_NOREBIND 1 + #define FREC_CHECKING_DISABLED 2 +@@ -601,8 +597,7 @@ struct hostsfile { + #define FREC_AD_QUESTION 32 + #define FREC_DO_QUESTION 64 + #define FREC_ADDED_PHEADER 128 +-#define FREC_CHECK_NOSIGN 256 +-#define FREC_TEST_PKTSZ 512 ++#define FREC_TEST_PKTSZ 256 +=20 + #ifdef HAVE_DNSSEC + #define HASH_SIZE 20 /* SHA-1 digest size */ +@@ -626,9 +621,7 @@ struct frec { + #ifdef HAVE_DNSSEC=20 + int class, work_counter; + struct blockdata *stash; /* Saved reply, whilst we validate */ +- struct blockdata *orig_domain; /* domain of original query, whilst +- we're seeing is if in unsigned domain */ +- size_t stash_len, name_start, name_len; ++ size_t stash_len; + struct frec *dependent; /* Query awaiting internally-generated DNSKEY or = DS query */ + struct frec *blocking_query; /* Query which is blocking us. */ + #endif +@@ -1162,8 +1155,8 @@ int in_zone(struct auth_zone *zone, char *name, char *= *cut); + size_t dnssec_generate_query(struct dns_header *header, char *end, char *na= me, int class, int type, union mysockaddr *addr, int edns_pktsz); + int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t n, = char *name, char *keyname, int class); + int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, = char *name, char *keyname, int class); +-int dnssec_validate_reply(time_t now, struct dns_header *header, size_t ple= n, char *name, char *keyname, int *class, int *neganswer, int *nons); +-int dnssec_chase_cname(time_t now, struct dns_header *header, size_t plen, = char *name, char *keyname); ++int dnssec_validate_reply(time_t now, struct dns_header *header, size_t ple= n, char *name, char *keyname, int *class, ++ int check_unsigned, int *neganswer, int *nons); + int dnskey_keytag(int alg, int flags, unsigned char *rdata, int rdlen); + size_t filter_rrsigs(struct dns_header *header, size_t plen); + unsigned char* hash_questions(struct dns_header *header, size_t plen, char = *name); +diff --git a/src/dnssec.c b/src/dnssec.c +index b4dc14e..de7b335 100644 +--- a/src/dnssec.c ++++ b/src/dnssec.c +@@ -65,8 +65,10 @@ static char *algo_digest_name(int algo) + case 8: return "sha256"; + case 10: return "sha512"; + case 12: return "gosthash94"; ++#ifndef NO_NETTLE_ECC + case 13: return "sha256"; + case 14: return "sha384"; ++#endif + default: return NULL; + } + } +@@ -592,30 +594,30 @@ static int get_rdata(struct dns_header *header, size_t= plen, unsigned char *end, + } + } +=20 +-static int expand_workspace(unsigned char ***wkspc, int *sz, int new) ++static int expand_workspace(unsigned char ***wkspc, int *szp, int new) + { + unsigned char **p; +- int new_sz =3D *sz; +- =20 +- if (new_sz > new) ++ int old =3D *szp; ++ ++ if (old >=3D new+1) + return 1; +=20 + if (new >=3D 100) + return 0; +=20 +- new_sz +=3D 5; ++ new +=3D 5; + =20 +- if (!(p =3D whine_malloc((new_sz) * sizeof(unsigned char **)))) ++ if (!(p =3D whine_malloc(new * sizeof(unsigned char **)))) + return 0; =20 + =20 +- if (*wkspc) ++ if (old !=3D 0 && *wkspc) + { +- memcpy(p, *wkspc, *sz * sizeof(unsigned char **)); ++ memcpy(p, *wkspc, old * sizeof(unsigned char **)); + free(*wkspc); + } + =20 + *wkspc =3D p; +- *sz =3D new_sz; ++ *szp =3D new; +=20 + return 1; + } +@@ -706,47 +708,28 @@ static void sort_rrset(struct dns_header *header, size= _t plen, u16 *rr_desc, int + } while (swap); + } +=20 +-/* Validate a single RRset (class, type, name) in the supplied DNS reply=20 +- Return code: +- STAT_SECURE if it validates. +- STAT_SECURE_WILDCARD if it validates and is the result of wildcard expan= sion. +- (In this case *wildcard_out points to the "body" of the wildcard within = name.)=20 +- STAT_NO_SIG no RRsigs found. +- STAT_INSECURE RRset empty. +- STAT_BOGUS signature is wrong, bad packet. +- STAT_NEED_KEY need DNSKEY to complete validation (name is returned in ke= yname) +- +- if key is non-NULL, use that key, which has the algo and tag given in th= e params of those names, +- otherwise find the key in the cache. ++static unsigned char **rrset =3D NULL, **sigs =3D NULL; +=20 +- name is unchanged on exit. keyname is used as workspace and trashed. +-*/ +-static int validate_rrset(time_t now, struct dns_header *header, size_t ple= n, int class, int type,=20 +- char *name, char *keyname, char **wildcard_out, struct blockdata *key,= int keylen, int algo_in, int keytag_in) ++/* Get pointers to RRset menbers and signature(s) for same. ++ Check signatures, and return keyname associated in keyname. */ ++static int explore_rrset(struct dns_header *header, size_t plen, int class,= int type,=20 ++ char *name, char *keyname, int *sigcnt, int *rrcnt) + { +- static unsigned char **rrset =3D NULL, **sigs =3D NULL; +- static int rrset_sz =3D 0, sig_sz =3D 0; +- =20 ++ static int rrset_sz =3D 0, sig_sz =3D 0;=20 + unsigned char *p; +- int rrsetidx, sigidx, res, rdlen, j, name_labels; +- struct crec *crecp =3D NULL; +- int type_covered, algo, labels, orig_ttl, sig_expiration, sig_inception, = key_tag; +- u16 *rr_desc =3D get_desc(type); +-=20 +- if (wildcard_out) +- *wildcard_out =3D NULL; +- =20 ++ int rrsetidx, sigidx, j, rdlen, res; ++ int name_labels =3D count_labels(name); /* For 4035 5.3.2 check */ ++ int gotkey =3D 0; ++ + if (!(p =3D skip_questions(header, plen))) + return STAT_BOGUS; +- =20 +- name_labels =3D count_labels(name); /* For 4035 5.3.2 check */ +=20 +- /* look for RRSIGs for this RRset and get pointers to each RR in the set.= */ ++ /* look for RRSIGs for this RRset and get pointers to each RR in the set= . */ + for (rrsetidx =3D 0, sigidx =3D 0, j =3D ntohs(header->ancount) + ntohs(h= eader->nscount);=20 + j !=3D 0; j--)=20 + { + unsigned char *pstart, *pdata; +- int stype, sclass; ++ int stype, sclass, algo, type_covered, labels, sig_expiration, sig_in= ception; +=20 + pstart =3D p; + =20 +@@ -762,14 +745,14 @@ static int validate_rrset(time_t now, struct dns_heade= r *header, size_t plen, in + GETSHORT(rdlen, p); + =20 + if (!CHECK_LEN(header, p, plen, rdlen)) +- return STAT_BOGUS;=20 ++ return 0;=20 + =20 + if (res =3D=3D 1 && sclass =3D=3D class) + { + if (stype =3D=3D type) + { + if (!expand_workspace(&rrset, &rrset_sz, rrsetidx)) +- return STAT_BOGUS;=20 ++ return 0;=20 + =20 + rrset[rrsetidx++] =3D pstart; + } +@@ -777,14 +760,54 @@ static int validate_rrset(time_t now, struct dns_heade= r *header, size_t plen, in + if (stype =3D=3D T_RRSIG) + { + if (rdlen < 18) +- return STAT_BOGUS; /* bad packet */=20 ++ return 0; /* bad packet */=20 + =20 + GETSHORT(type_covered, p); ++ algo =3D *p++; ++ labels =3D *p++; ++ p +=3D 4; /* orig_ttl */ ++ GETLONG(sig_expiration, p); ++ GETLONG(sig_inception, p); ++ p +=3D 2; /* key_tag */ + =20 +- if (type_covered =3D=3D type) ++ if (gotkey) ++ { ++ /* If there's more than one SIG, ensure they all have same keyname */ ++ if (extract_name(header, plen, &p, keyname, 0, 0) !=3D 1) ++ return 0; ++ } ++ else ++ { ++ gotkey =3D 1; ++ =20 ++ if (!extract_name(header, plen, &p, keyname, 1, 0)) ++ return 0; ++ =20 ++ /* RFC 4035 5.3.1 says that the Signer's Name field MUST equal ++ the name of the zone containing the RRset. We can't tell that ++ for certain, but we can check that the RRset name is equal to ++ or encloses the signers name, which should be enough to stop=20 ++ an attacker using signatures made with the key of an unrelated=20 ++ zone he controls. Note that the root key is always allowed. */ ++ if (*keyname !=3D 0) ++ { ++ char *name_start; ++ for (name_start =3D name; !hostname_isequal(name_start, keyname); ) ++ if ((name_start =3D strchr(name_start, '.'))) ++ name_start++; /* chop a label off and try again */ ++ else ++ return 0; ++ } ++ } ++ =20 ++ /* Don't count signatures for algos we don't support */ ++ if (check_date_range(sig_inception, sig_expiration) && ++ labels <=3D name_labels && ++ type_covered =3D=3D type &&=20 ++ algo_digest_name(algo)) + { + if (!expand_workspace(&sigs, &sig_sz, sigidx)) +- return STAT_BOGUS;=20 ++ return 0;=20 + =20 + sigs[sigidx++] =3D pdata; + }=20 +@@ -794,17 +817,45 @@ static int validate_rrset(time_t now, struct dns_heade= r *header, size_t plen, in + } + =20 + if (!ADD_RDLEN(header, p, plen, rdlen)) +- return STAT_BOGUS; ++ return 0; + } + =20 +- /* RRset empty */ +- if (rrsetidx =3D=3D 0) +- return STAT_INSECURE;=20 ++ *sigcnt =3D sigidx; ++ *rrcnt =3D rrsetidx; ++ ++ return 1; ++} ++ ++/* Validate a single RRset (class, type, name) in the supplied DNS reply=20 ++ Return code: ++ STAT_SECURE if it validates. ++ STAT_SECURE_WILDCARD if it validates and is the result of wildcard expan= sion. ++ (In this case *wildcard_out points to the "body" of the wildcard within = name.)=20 ++ STAT_BOGUS signature is wrong, bad packet. ++ STAT_NEED_KEY need DNSKEY to complete validation (name is returned in ke= yname) ++ STAT_NEED_DS need DS to complete validation (name is returned in keynam= e) ++ ++ if key is non-NULL, use that key, which has the algo and tag given in th= e params of those names, ++ otherwise find the key in the cache. +=20 +- /* no RRSIGs */ +- if (sigidx =3D=3D 0) +- return STAT_NO_SIG;=20 ++ name is unchanged on exit. keyname is used as workspace and trashed. ++ ++ Call explore_rrset first to find and count RRs and sigs. ++*/ ++static int validate_rrset(time_t now, struct dns_header *header, size_t ple= n, int class, int type, int sigidx, int rrsetidx,=20 ++ char *name, char *keyname, char **wildcard_out, struct blockdata *key,= int keylen, int algo_in, int keytag_in) ++{ ++ unsigned char *p; ++ int rdlen, j, name_labels; ++ struct crec *crecp =3D NULL; ++ int algo, labels, orig_ttl, key_tag; ++ u16 *rr_desc =3D get_desc(type); ++=20 ++ if (wildcard_out) ++ *wildcard_out =3D NULL; + =20 ++ name_labels =3D count_labels(name); /* For 4035 5.3.2 check */ ++ + /* Sort RRset records into canonical order.=20 + Note that at this point keyname and daemon->workspacename buffs are + unused, and used as workspace by the sort. */ +@@ -828,44 +879,16 @@ static int validate_rrset(time_t now, struct dns_heade= r *header, size_t plen, in + algo =3D *p++; + labels =3D *p++; + GETLONG(orig_ttl, p); +- GETLONG(sig_expiration, p); +- GETLONG(sig_inception, p); ++ p +=3D 8; /* sig_expiration, sig_inception already checked */ + GETSHORT(key_tag, p); + =20 + if (!extract_name(header, plen, &p, keyname, 1, 0)) + return STAT_BOGUS; +=20 +- /* RFC 4035 5.3.1 says that the Signer's Name field MUST equal +- the name of the zone containing the RRset. We can't tell that +- for certain, but we can check that the RRset name is equal to +- or encloses the signers name, which should be enough to stop=20 +- an attacker using signatures made with the key of an unrelated=20 +- zone he controls. Note that the root key is always allowed. */ +- if (*keyname !=3D 0) +- { +- int failed =3D 0; +- =20 +- for (name_start =3D name; !hostname_isequal(name_start, keyname); ) +- if ((name_start =3D strchr(name_start, '.'))) +- name_start++; /* chop a label off and try again */ +- else +- { +- failed =3D 1; +- break; +- } +- +- /* Bad sig, try another */ +- if (failed) +- continue; +- } +- =20 +- /* Other 5.3.1 checks */ +- if (!check_date_range(sig_inception, sig_expiration) || +- labels > name_labels || +- !(hash =3D hash_find(algo_digest_name(algo))) || ++ if (!(hash =3D hash_find(algo_digest_name(algo))) || + !hash_init(hash, &ctx, &digest)) + continue; +-=09 ++ =20 + /* OK, we have the signature record, see if the relevant DNSKEY is in= the cache. */ + if (!key && !(crecp =3D cache_find_by_name(NULL, keyname, now, F_DNSK= EY))) + return STAT_NEED_KEY; +@@ -971,10 +994,11 @@ static int validate_rrset(time_t now, struct dns_heade= r *header, size_t plen, in + /* The DNS packet is expected to contain the answer to a DNSKEY query. + Put all DNSKEYs in the answer which are valid into the cache. + return codes: +- STAT_SECURE At least one valid DNSKEY found and in cache. +- STAT_BOGUS No DNSKEYs found, which can be validated with DS, +- or self-sign for DNSKEY RRset is not valid, bad packet. +- STAT_NEED_DS DS records to validate a key not found, name in keyname=20 ++ STAT_OK Done, key(s) in cache. ++ STAT_BOGUS No DNSKEYs found, which can be validated with DS, ++ or self-sign for DNSKEY RRset is not valid, bad packet. ++ STAT_NEED_DS DS records to validate a key not found, name in keyname= =20 ++ STAT_NEED_DNSKEY DNSKEY records to validate a key not found, name in key= name=20 + */ + int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t ple= n, char *name, char *keyname, int class) + { +@@ -1001,23 +1025,6 @@ int dnssec_validate_by_ds(time_t now, struct dns_head= er *header, size_t plen, ch + return STAT_NEED_DS; + } + =20 +- /* If we've cached that DS provably doesn't exist, result must be INSECUR= E */ +- if (crecp->flags & F_NEG) +- return STAT_INSECURE_DS; +- =20 +- /* 4035 5.2=20 +- If the validator does not support any of the algorithms listed in an +- authenticated DS RRset, then the resolver has no supported +- authentication path leading from the parent to the child. The +- resolver should treat this case as it would the case of an +- authenticated NSEC RRset proving that no DS RRset exists, */ +- for (recp1 =3D crecp; recp1; recp1 =3D cache_find_by_name(recp1, name, no= w, F_DS)) +- if (hash_find(ds_digest_name(recp1->addr.ds.digest))) +- break; +- =20 +- if (!recp1) +- return STAT_INSECURE_DS; +- + /* NOTE, we need to find ONE DNSKEY which matches the DS */ + for (valid =3D 0, j =3D ntohs(header->ancount); j !=3D 0 && !valid; j--) = + { +@@ -1070,7 +1077,8 @@ int dnssec_validate_by_ds(time_t now, struct dns_heade= r *header, size_t plen, ch + void *ctx; + unsigned char *digest, *ds_digest; + const struct nettle_hash *hash; +- =20 ++ int sigcnt, rrcnt; ++ + if (recp1->addr.ds.algo =3D=3D algo &&=20 + recp1->addr.ds.keytag =3D=3D keytag && + recp1->uid =3D=3D (unsigned int)class && +@@ -1088,10 +1096,14 @@ int dnssec_validate_by_ds(time_t now, struct dns_hea= der *header, size_t plen, ch + =20 + from_wire(name); + =20 +- if (recp1->addr.ds.keylen =3D=3D (int)hash->digest_size && ++ if (!(recp1->flags & F_NEG) && ++ recp1->addr.ds.keylen =3D=3D (int)hash->digest_size && + (ds_digest =3D blockdata_retrieve(recp1->addr.key.keydata, recp1->addr.= ds.keylen, NULL)) && + memcmp(ds_digest, digest, recp1->addr.ds.keylen) =3D=3D 0 && +- validate_rrset(now, header, plen, class, T_DNSKEY, name, keyname, NULL,= key, rdlen - 4, algo, keytag) =3D=3D STAT_SECURE) ++ explore_rrset(header, plen, class, T_DNSKEY, name, keyname, &sigcnt, &r= rcnt) && ++ sigcnt !=3D 0 && rrcnt !=3D 0 && ++ validate_rrset(now, header, plen, class, T_DNSKEY, sigcnt, rrcnt, name,= keyname,=20 ++ NULL, key, rdlen - 4, algo, keytag) =3D=3D STAT_SECURE) + { + valid =3D 1; + break; +@@ -1112,7 +1124,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_heade= r *header, size_t plen, ch + { + /* Ensure we have type, class TTL and length */ + if (!(rc =3D extract_name(header, plen, &p, name, 0, 10))) +- return STAT_INSECURE; /* bad packet */ ++ return STAT_BOGUS; /* bad packet */ + =20 + GETSHORT(qtype, p);=20 + GETSHORT(qclass, p); +@@ -1198,7 +1210,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_heade= r *header, size_t plen, ch + =20 + /* commit cache insert. */ + cache_end_insert(); +- return STAT_SECURE; ++ return STAT_OK; + } +=20 + log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "BOGUS DNSKEY"); +@@ -1207,12 +1219,14 @@ int dnssec_validate_by_ds(time_t now, struct dns_hea= der *header, size_t plen, ch +=20 + /* The DNS packet is expected to contain the answer to a DS query + Put all DSs in the answer which are valid into the cache. ++ Also handles replies which prove that there's no DS at this location,=20 ++ either because the zone is unsigned or this isn't a zone cut. These are ++ cached too. + return codes: +- STAT_SECURE At least one valid DS found and in cache. +- STAT_NO_DS It's proved there's no DS here. +- STAT_NO_NS It's proved there's no DS _or_ NS here. ++ STAT_OK At least one valid DS found and in cache. + STAT_BOGUS no DS in reply or not signed, fails validation, bad pac= ket. + STAT_NEED_KEY DNSKEY records to validate a DS not found, name in keyn= ame ++ STAT_NEED_DS DS record needed. + */ +=20 + int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, = char *name, char *keyname, int class) +@@ -1230,7 +1244,7 @@ int dnssec_validate_ds(time_t now, struct dns_header *= header, size_t plen, char + if (qtype !=3D T_DS || qclass !=3D class) + val =3D STAT_BOGUS; + else +- val =3D dnssec_validate_reply(now, header, plen, name, keyname, NULL, &= neganswer, &nons); ++ val =3D dnssec_validate_reply(now, header, plen, name, keyname, NULL, 0= , &neganswer, &nons); + /* Note dnssec_validate_reply() will have cached positive answers */ + =20 + if (val =3D=3D STAT_INSECURE) +@@ -1242,22 +1256,21 @@ int dnssec_validate_ds(time_t now, struct dns_header= *header, size_t plen, char + =20 + if (!(p =3D skip_section(p, ntohs(header->ancount), header, plen))) + val =3D STAT_BOGUS; +- =20 +- /* If we return STAT_NO_SIG, name contains the name of the DS query */ +- if (val =3D=3D STAT_NO_SIG) +- return val; + =20 + /* If the key needed to validate the DS is on the same domain as the DS, = we'll + loop getting nowhere. Stop that now. This can happen of the DS answer = comes + from the DS's zone, and not the parent zone. */ +- if (val =3D=3D STAT_BOGUS || (val =3D=3D STAT_NEED_KEY && hostname_isequ= al(name, keyname))) ++ if (val =3D=3D STAT_BOGUS || (val =3D=3D STAT_NEED_KEY && hostname_isequa= l(name, keyname))) + { + log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "BOGUS DS"); + return STAT_BOGUS; + } ++ =20 ++ if (val !=3D STAT_SECURE) ++ return val; +=20 + /* By here, the answer is proved secure, and a positive answer has been c= ached. */ +- if (val =3D=3D STAT_SECURE && neganswer) ++ if (neganswer) + { + int rdlen, flags =3D F_FORWARD | F_DS | F_NEG | F_DNSSECOK; + unsigned long ttl, minttl =3D ULONG_MAX; +@@ -1317,15 +1330,14 @@ int dnssec_validate_ds(time_t now, struct dns_header= *header, size_t plen, char + =20 + cache_end_insert(); =20 + =20 +- log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, nons ? "no delegation" : "= no DS"); ++ log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "no DS"); + } +- +- return nons ? STAT_NO_NS : STAT_NO_DS;=20 + } +=20 +- return val; ++ return STAT_OK; + } +=20 ++ + /* 4034 6.1 */ + static int hostname_cmp(const char *a, const char *b) + { +@@ -1452,7 +1464,7 @@ static int prove_non_existence_nsec(struct dns_header = *header, size_t plen, unsi + int mask =3D 0x80 >> (type & 0x07); +=20 + if (nons) +- *nons =3D 0; ++ *nons =3D 1; + =20 + /* Find NSEC record that proves name doesn't exist */ + for (i =3D 0; i < nsec_count; i++) +@@ -1480,9 +1492,22 @@ static int prove_non_existence_nsec(struct dns_header= *header, size_t plen, unsi + /* rdlen is now length of type map, and p points to it */ + =20 + /* If we can prove that there's no NS record, return that information. */ +- if (nons && rdlen >=3D 2 && p[0] =3D=3D 0 && (p[2] & (0x80 >> T_NS)) =3D= =3D 0) +- *nons =3D 1; ++ if (nons && rdlen >=3D 2 && p[0] =3D=3D 0 && (p[2] & (0x80 >> T_NS)) != =3D 0) ++ *nons =3D 0; + =20 ++ if (rdlen >=3D 2 && p[0] =3D=3D 0) ++ { ++ /* A CNAME answer would also be valid, so if there's a CNAME is shou= ld=20 ++ have been returned. */ ++ if ((p[2] & (0x80 >> T_CNAME)) !=3D 0) ++ return STAT_BOGUS; ++ =20 ++ /* If the SOA bit is set for a DS record, then we have the ++ DS from the wrong side of the delegation. */ ++ if (type =3D=3D T_DS && (p[2] & (0x80 >> T_SOA)) !=3D 0) ++ return STAT_BOGUS; ++ } ++ + while (rdlen >=3D 2) + { + if (!CHECK_LEN(header, p, plen, rdlen)) +@@ -1586,7 +1611,7 @@ static int base32_decode(char *in, unsigned char *out) + static int check_nsec3_coverage(struct dns_header *header, size_t plen, int= digest_len, unsigned char *digest, int type, + char *workspace1, char *workspace2, unsigned char **nsecs, int nsec_cou= nt, int *nons) + { +- int i, hash_len, salt_len, base32_len, rdlen; ++ int i, hash_len, salt_len, base32_len, rdlen, flags; + unsigned char *p, *psave; +=20 + for (i =3D 0; i < nsec_count; i++) +@@ -1599,7 +1624,9 @@ static int check_nsec3_coverage(struct dns_header *hea= der, size_t plen, int dige + p +=3D 8; /* class, type, TTL */ + GETSHORT(rdlen, p); + psave =3D p; +- p +=3D 4; /* algo, flags, iterations */ ++ p++; /* algo */ ++ flags =3D *p++; /* flags */ ++ p +=3D 2; /* iterations */ + salt_len =3D *p++; /* salt_len */ + p +=3D salt_len; /* salt */ + hash_len =3D *p++; /* p now points to next hashed name */ +@@ -1626,16 +1653,29 @@ static int check_nsec3_coverage(struct dns_header *h= eader, size_t plen, int dige + return 0; + =09 + /* If we can prove that there's no NS record, return that information. */ +- if (nons && rdlen >=3D 2 && p[0] =3D=3D 0 && (p[2] & (0x80 >> T_NS)) =3D= =3D 0) +- *nons =3D 1; ++ if (nons && rdlen >=3D 2 && p[0] =3D=3D 0 && (p[2] & (0x80 >> T_NS)) !=3D= 0) ++ *nons =3D 0; + =09 ++ if (rdlen >=3D 2 && p[0] =3D=3D 0) ++ { ++ /* A CNAME answer would also be valid, so if there's a CNAME is shoul= d=20 ++ have been returned. */ ++ if ((p[2] & (0x80 >> T_CNAME)) !=3D 0) ++ return 0; ++ =20 ++ /* If the SOA bit is set for a DS record, then we have the ++ DS from the wrong side of the delegation. */ ++ if (type =3D=3D T_DS && (p[2] & (0x80 >> T_SOA)) !=3D 0) ++ return 0; ++ } ++ + while (rdlen >=3D 2) + { + if (p[0] =3D=3D type >> 8) + { + /* Does the NSEC3 say our type exists? */ + if (offset < p[1] && (p[offset+2] & mask) !=3D 0) +- return STAT_BOGUS; ++ return 0; + =09 + break; /* finshed checking */ + } +@@ -1643,7 +1683,7 @@ static int check_nsec3_coverage(struct dns_header *hea= der, size_t plen, int dige + rdlen -=3D p[1]; + p +=3D p[1]; + } +- ++ =09 + return 1; + } + else if (rc < 0) +@@ -1651,16 +1691,27 @@ static int check_nsec3_coverage(struct dns_header *h= eader, size_t plen, int dige + /* Normal case, hash falls between NSEC3 name-hash and next domain name-h= ash, + wrap around case, name-hash falls between NSEC3 name-hash and end */ + if (memcmp(p, digest, digest_len) >=3D 0 || memcmp(workspace2, p, digest_= len) >=3D 0) +- return 1; ++ { ++ if ((flags & 0x01) && nons) /* opt out */ ++ *nons =3D 0; ++ ++ return 1; ++ } + } + else=20 + { + /* wrap around case, name falls between start and next domain name */ + if (memcmp(workspace2, p, digest_len) >=3D 0 && memcmp(p, digest, digest_= len) >=3D 0) +- return 1; ++ { ++ if ((flags & 0x01) && nons) /* opt out */ ++ *nons =3D 0; ++ ++ return 1; ++ } + } + } + } ++ + return 0; + } +=20 +@@ -1673,7 +1724,7 @@ static int prove_non_existence_nsec3(struct dns_header= *header, size_t plen, uns + char *closest_encloser, *next_closest, *wildcard; + =20 + if (nons) +- *nons =3D 0; ++ *nons =3D 1; + =20 + /* Look though the NSEC3 records to find the first one with=20 + an algorithm we support (currently only algo =3D=3D 1). +@@ -1813,16 +1864,81 @@ static int prove_non_existence_nsec3(struct dns_head= er *header, size_t plen, uns + =20 + return STAT_SECURE; + } +- =20 +-/* Validate all the RRsets in the answer and authority sections of the repl= y (4035:3.2.3) */ +-/* Returns are the same as validate_rrset, plus the class if the missing ke= y is in *class */ ++ ++/* Check signing status of name. ++ returns: ++ STAT_SECURE zone is signed. ++ STAT_INSECURE zone proved unsigned. ++ STAT_NEED_DS require DS record of name returned in keyname. ++ =20 ++ name returned unaltered. ++*/ ++static int zone_status(char *name, int class, char *keyname, time_t now) ++{ ++ int name_start =3D strlen(name); ++ struct crec *crecp; ++ char *p; ++ =20 ++ while (1) ++ { ++ strcpy(keyname, &name[name_start]); ++ =20 ++ if (!(crecp =3D cache_find_by_name(NULL, keyname, now, F_DS))) ++ return STAT_NEED_DS; ++ else ++ do=20 ++ { ++ if (crecp->uid =3D=3D (unsigned int)class) ++ { ++ /* F_DNSSECOK misused in DS cache records to non-existance of NS record. ++ F_NEG && !F_DNSSECOK implies that we've proved there's no DS record he= re, ++ but that's because there's no NS record either, ie this isn't the start ++ of a zone. We only prove that the DNS tree below a node is unsigned wh= en ++ we prove that we're at a zone cut AND there's no DS record. ++ */ =20 ++ if (crecp->flags & F_NEG) ++ { ++ if (crecp->flags & F_DNSSECOK) ++ return STAT_INSECURE; /* proved no DS here */ ++ } ++ else if (!ds_digest_name(crecp->addr.ds.digest) || !algo_digest_name(crec= p->addr.ds.algo)) ++ return STAT_INSECURE; /* algo we can't use - insecure */ ++ } ++ } ++ while ((crecp =3D cache_find_by_name(crecp, keyname, now, F_DS))); ++ =20 ++ if (name_start =3D=3D 0) ++ break; ++ ++ for (p =3D &name[name_start-2]; (*p !=3D '.') && (p !=3D name); p--); ++ =20 ++ if (p !=3D name) ++ p++; ++ =20 ++ name_start =3D p - name; ++ }=20 ++ ++ return STAT_SECURE; ++} ++ =20 ++/* Validate all the RRsets in the answer and authority sections of the repl= y (4035:3.2.3)=20 ++ Return code: ++ STAT_SECURE if it validates. ++ STAT_INSECURE at least one RRset not validated, because in unsigned zone. ++ STAT_BOGUS signature is wrong, bad packet, no validation where there = should be. ++ STAT_NEED_KEY need DNSKEY to complete validation (name is returned in ke= yname, class in *class) ++ STAT_NEED_DS need DS to complete validation (name is returned in keynam= e)=20 ++*/ + int dnssec_validate_reply(time_t now, struct dns_header *header, size_t ple= n, char *name, char *keyname,=20 +- int *class, int *neganswer, int *nons) ++ int *class, int check_unsigned, int *neganswer, int *nons) + { +- unsigned char *ans_start, *qname, *p1, *p2, **nsecs; +- int type1, class1, rdlen1, type2, class2, rdlen2, qclass, qtype; +- int i, j, rc, nsec_count, cname_count =3D CNAME_CHAIN; +- int nsec_type =3D 0, have_answer =3D 0; ++ static unsigned char **targets =3D NULL; ++ static int target_sz =3D 0; ++ ++ unsigned char *ans_start, *p1, *p2, **nsecs; ++ int type1, class1, rdlen1, type2, class2, rdlen2, qclass, qtype, targetid= x; ++ int i, j, rc, nsec_count; ++ int nsec_type; +=20 + if (neganswer) + *neganswer =3D 0; +@@ -1833,70 +1949,51 @@ int dnssec_validate_reply(time_t now, struct dns_hea= der *header, size_t plen, ch + if (RCODE(header) !=3D NXDOMAIN && RCODE(header) !=3D NOERROR) + return STAT_INSECURE; +=20 +- qname =3D p1 =3D (unsigned char *)(header+1); ++ p1 =3D (unsigned char *)(header+1); + =20 ++ /* Find all the targets we're looking for answers to. ++ The zeroth array element is for the query, subsequent ones ++ for CNAME targets, unless the query is for a CNAME. */ ++ ++ if (!expand_workspace(&targets, &target_sz, 0)) ++ return STAT_BOGUS; ++ =20 ++ targets[0] =3D p1; ++ targetidx =3D 1; ++ =20 + if (!extract_name(header, plen, &p1, name, 1, 4)) + return STAT_BOGUS; +- ++ =20 + GETSHORT(qtype, p1); + GETSHORT(qclass, p1); + ans_start =3D p1; +- +- if (qtype =3D=3D T_ANY) +- have_answer =3D 1; + =20 +- /* Can't validate an RRISG query */ ++ /* Can't validate an RRSIG query */ + if (qtype =3D=3D T_RRSIG) + return STAT_INSECURE; +-=20 +- cname_loop: +- for (j =3D ntohs(header->ancount); j !=3D 0; j--)=20 +- { +- /* leave pointer to missing name in qname */ +- =20 +- if (!(rc =3D extract_name(header, plen, &p1, name, 0, 10))) +- return STAT_BOGUS; /* bad packet */ +- =20 +- GETSHORT(type2, p1);=20 +- GETSHORT(class2, p1); +- p1 +=3D 4; /* TTL */ +- GETSHORT(rdlen2, p1); +- +- if (rc =3D=3D 1 && qclass =3D=3D class2) +- { +- /* Do we have an answer for the question? */ +- if (type2 =3D=3D qtype) +- { +- have_answer =3D 1; +- break; +- } +- else if (type2 =3D=3D T_CNAME) +- { +- qname =3D p1; +- =20 +- /* looped CNAMES */ +- if (!cname_count-- || !extract_name(header, plen, &p1, name, 1, 0)) +- return STAT_BOGUS; +- =20 +- p1 =3D ans_start; +- goto cname_loop; +- } +- }=20 +- +- if (!ADD_RDLEN(header, p1, plen, rdlen2)) +- return STAT_BOGUS; +- } +- =20 +- if (neganswer && !have_answer) +- *neganswer =3D 1; + =20 +- /* No data, therefore no sigs */ +- if (ntohs(header->ancount) + ntohs(header->nscount) =3D=3D 0) +- { +- *keyname =3D 0; +- return STAT_NO_SIG; +- } +- ++ if (qtype !=3D T_CNAME) ++ for (j =3D ntohs(header->ancount); j !=3D 0; j--)=20 ++ { ++ if (!(p1 =3D skip_name(p1, header, plen, 10))) ++ return STAT_BOGUS; /* bad packet */ ++=09 ++ GETSHORT(type2, p1);=20 ++ p1 +=3D 6; /* class, TTL */ ++ GETSHORT(rdlen2, p1); =20 ++=09 ++ if (type2 =3D=3D T_CNAME) ++ { ++ if (!expand_workspace(&targets, &target_sz, targetidx)) ++ return STAT_BOGUS; ++ =20 ++ targets[targetidx++] =3D p1; /* pointer to target name */ ++ } ++=09 ++ if (!ADD_RDLEN(header, p1, plen, rdlen2)) ++ return STAT_BOGUS; ++ } ++ =20 + for (p1 =3D ans_start, i =3D 0; i < ntohs(header->ancount) + ntohs(header= ->nscount); i++) + { + if (!extract_name(header, plen, &p1, name, 1, 10)) +@@ -1931,7 +2028,7 @@ int dnssec_validate_reply(time_t now, struct dns_heade= r *header, size_t plen, ch + /* Not done, validate now */ + if (j =3D=3D i) + { +- int ttl, keytag, algo, digest, type_covered; ++ int ttl, keytag, algo, digest, type_covered, sigcnt, rrcnt; + unsigned char *psave; + struct all_addr a; + struct blockdata *key; +@@ -1939,143 +2036,186 @@ int dnssec_validate_reply(time_t now, struct dns_h= eader *header, size_t plen, ch + char *wildname; + int have_wildcard =3D 0; +=20 +- rc =3D validate_rrset(now, header, plen, class1, type1, name, keynam= e, &wildname, NULL, 0, 0, 0); +- =20 +- if (rc =3D=3D STAT_SECURE_WILDCARD) +- { +- have_wildcard =3D 1; +- +- /* An attacker replay a wildcard answer with a different +- answer and overlay a genuine RR. To prove this +- hasn't happened, the answer must prove that +- the gennuine record doesn't exist. Check that here. */ +- if (!nsec_type && !(nsec_type =3D find_nsec_records(header, plen, &nsec= s, &nsec_count, class1))) +- return STAT_BOGUS; /* No NSECs or bad packet */ +- =20 +- if (nsec_type =3D=3D T_NSEC) +- rc =3D prove_non_existence_nsec(header, plen, nsecs, nsec_count, daem= on->workspacename, keyname, name, type1, NULL); +- else +- rc =3D prove_non_existence_nsec3(header, plen, nsecs, nsec_count, dae= mon->workspacename,=20 +- keyname, name, type1, wildname, NULL); +- =20 +- if (rc !=3D STAT_SECURE) +- return rc; +- }=20 +- else if (rc !=3D STAT_SECURE) +- { +- if (class) +- *class =3D class1; /* Class for DS or DNSKEY */ ++ if (!explore_rrset(header, plen, class1, type1, name, keyname, &sigc= nt, &rrcnt)) ++ return STAT_BOGUS; +=20 +- if (rc =3D=3D STAT_NO_SIG) ++ /* No signatures for RRset. We can be configured to assume this is O= K and return a INSECURE result. */ ++ if (sigcnt =3D=3D 0) ++ { ++ if (check_unsigned) + { +- /* If we dropped off the end of a CNAME chain, return +- STAT_NO_SIG and the last name is keyname. This is used for proving non-= existence +- if DS records in CNAME chains. */ +- if (cname_count =3D=3D CNAME_CHAIN || i < ntohs(header->ancount))=20 +- /* No CNAME chain, or no sig in answer section, return empty name. */ +- *keyname =3D 0; +- else if (!extract_name(header, plen, &qname, keyname, 1, 0)) +- return STAT_BOGUS; ++ rc =3D zone_status(name, class1, keyname, now); ++ if (rc =3D=3D STAT_SECURE) ++ rc =3D STAT_BOGUS; ++ if (class) ++ *class =3D class1; /* Class for NEED_DS or NEED_DNSKEY */ + } +-=20 ++ else=20 ++ rc =3D STAT_INSECURE;=20 ++ =20 + return rc; + } + =20 +- /* Cache RRsigs in answer section, and if we just validated a DS RRs= et, cache it */ +- cache_start_insert(); ++ /* explore_rrset() gives us key name from sigs in keyname. ++ Can't overwrite name here. */ ++ strcpy(daemon->workspacename, keyname); ++ rc =3D zone_status(daemon->workspacename, class1, keyname, now); ++ if (rc !=3D STAT_SECURE) ++ { ++ /* Zone is insecure, don't need to validate RRset */ ++ if (class) ++ *class =3D class1; /* Class for NEED_DS or NEED_DNSKEY */ ++ return rc; ++ }=20 ++ =20 ++ rc =3D validate_rrset(now, header, plen, class1, type1, sigcnt, rrcn= t, name, keyname, &wildname, NULL, 0, 0, 0); + =20 +- for (p2 =3D ans_start, j =3D 0; j < ntohs(header->ancount); j++) ++ if (rc =3D=3D STAT_BOGUS || rc =3D=3D STAT_NEED_KEY || rc =3D=3D STA= T_NEED_DS) + { +- if (!(rc =3D extract_name(header, plen, &p2, name, 0, 10))) +- return STAT_BOGUS; /* bad packet */ ++ if (class) ++ *class =3D class1; /* Class for DS or DNSKEY */ ++ return rc; ++ }=20 ++ else=20 ++ { ++ /* rc is now STAT_SECURE or STAT_SECURE_WILDCARD */ ++ =20 ++ /* Note if we've validated either the answer to the question ++ or the target of a CNAME. Any not noted will need NSEC or ++ to be in unsigned space. */ ++ ++ for (j =3D 0; j addr.ds.digest =3D digest; +- crecp->addr.ds.keydata =3D key; +- crecp->addr.ds.algo =3D algo; +- crecp->addr.ds.keytag =3D keytag; +- crecp->addr.ds.keylen =3D rdlen2 - 4;=20 +- }=20 +- } +- } +- else if (type2 =3D=3D T_RRSIG) +- { +- if (rdlen2 < 18) +- return STAT_BOGUS; /* bad packet */ ++ if (nsec_type =3D=3D T_NSEC) ++ rc =3D prove_non_existence_nsec(header, plen, nsecs, nsec_count, daemon-= >workspacename, keyname, name, type1, NULL); ++ else ++ rc =3D prove_non_existence_nsec3(header, plen, nsecs, nsec_count, daemon= ->workspacename,=20 ++ keyname, name, type1, wildname, NULL); ++ =20 ++ if (rc =3D=3D STAT_BOGUS) ++ return rc; ++ }=20 ++ =20 ++ /* Cache RRsigs in answer section, and if we just validated a DS RRset,= cache it */ ++ /* Also note if the RRset is the answer to the question, or the target = of a CNAME */ ++ cache_start_insert(); ++ =20 ++ for (p2 =3D ans_start, j =3D 0; j < ntohs(header->ancount); j++) ++ { ++ if (!(rc =3D extract_name(header, plen, &p2, name, 0, 10))) ++ return STAT_BOGUS; /* bad packet */ ++ =20 ++ GETSHORT(type2, p2); ++ GETSHORT(class2, p2); ++ GETLONG(ttl, p2); ++ GETSHORT(rdlen2, p2); ++ =20 ++ if (!CHECK_LEN(header, p2, plen, rdlen2)) ++ return STAT_BOGUS; /* bad packet */ ++ =20 ++ if (class2 =3D=3D class1 && rc =3D=3D 1) ++ {=20 ++ psave =3D p2; + =20 +- GETSHORT(type_covered, p2); +- +- if (type_covered =3D=3D type1 &&=20 +- (type_covered =3D=3D T_A || type_covered =3D=3D T_AAAA || +- type_covered =3D=3D T_CNAME || type_covered =3D=3D T_DS ||=20 +- type_covered =3D=3D T_DNSKEY || type_covered =3D=3D T_PTR))=20 ++ if (type1 =3D=3D T_DS && type2 =3D=3D T_DS) + { +- a.addr.dnssec.type =3D type_covered; +- a.addr.dnssec.class =3D class1; ++ if (rdlen2 < 4) ++ return STAT_BOGUS; /* bad packet */ + =20 +- algo =3D *p2++; +- p2 +=3D 13; /* labels, orig_ttl, expiration, inception */ + GETSHORT(keytag, p2); ++ algo =3D *p2++; ++ digest =3D *p2++; ++ =20 ++ /* Cache needs to known class for DNSSEC stuff */ ++ a.addr.dnssec.class =3D class2; + =20 +- /* We don't cache sigs for wildcard answers, because to reproduce = the +- answer from the cache will require one or more NSEC/NSEC3 records=20 +- which we don't cache. The lack of the RRSIG ensures that a query for +- this RRset asking for a secure answer will always be forwarded. */ +- if (!have_wildcard && (key =3D blockdata_alloc((char*)psave, rdlen= 2))) ++ if ((key =3D blockdata_alloc((char*)p2, rdlen2 - 4))) + { +- if (!(crecp =3D cache_insert(name, &a, now, ttl, F_FORWARD | F_DNSKE= Y | F_DS))) ++ if (!(crecp =3D cache_insert(name, &a, now, ttl, F_FORWARD | F_DS | F= _DNSSECOK))) + blockdata_free(key); + else + { +- crecp->addr.sig.keydata =3D key; +- crecp->addr.sig.keylen =3D rdlen2; +- crecp->addr.sig.keytag =3D keytag; +- crecp->addr.sig.type_covered =3D type_covered; +- crecp->addr.sig.algo =3D algo; ++ a.addr.keytag =3D keytag; ++ log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS keytag= %u"); ++ crecp->addr.ds.digest =3D digest; ++ crecp->addr.ds.keydata =3D key; ++ crecp->addr.ds.algo =3D algo; ++ crecp->addr.ds.keytag =3D keytag; ++ crecp->addr.ds.keylen =3D rdlen2 - 4;=20 ++ }=20 ++ } ++ } ++ else if (type2 =3D=3D T_RRSIG) ++ { ++ if (rdlen2 < 18) ++ return STAT_BOGUS; /* bad packet */ ++ =20 ++ GETSHORT(type_covered, p2); ++ =20 ++ if (type_covered =3D=3D type1 &&=20 ++ (type_covered =3D=3D T_A || type_covered =3D=3D T_AAAA || ++ type_covered =3D=3D T_CNAME || type_covered =3D=3D T_DS ||=20 ++ type_covered =3D=3D T_DNSKEY || type_covered =3D=3D T_PTR))=20 ++ { ++ a.addr.dnssec.type =3D type_covered; ++ a.addr.dnssec.class =3D class1; ++ =20 ++ algo =3D *p2++; ++ p2 +=3D 13; /* labels, orig_ttl, expiration, inception */ ++ GETSHORT(keytag, p2); ++ =20 ++ /* We don't cache sigs for wildcard answers, because to reproduce the ++ answer from the cache will require one or more NSEC/NSEC3 records = ++ which we don't cache. The lack of the RRSIG ensures that a query f= or ++ this RRset asking for a secure answer will always be forwarded. */ ++ if (!have_wildcard && (key =3D blockdata_alloc((char*)psave, rdlen2))) ++ { ++ if (!(crecp =3D cache_insert(name, &a, now, ttl, F_FORWARD | F_D= NSKEY | F_DS))) ++ blockdata_free(key); ++ else ++ { ++ crecp->addr.sig.keydata =3D key; ++ crecp->addr.sig.keylen =3D rdlen2; ++ crecp->addr.sig.keytag =3D keytag; ++ crecp->addr.sig.type_covered =3D type_covered; ++ crecp->addr.sig.algo =3D algo; ++ } + } + } + } ++ =20 ++ p2 =3D psave; + } + =20 +- p2 =3D psave; ++ if (!ADD_RDLEN(header, p2, plen, rdlen2)) ++ return STAT_BOGUS; /* bad packet */ + } + =20 +- if (!ADD_RDLEN(header, p2, plen, rdlen2)) +- return STAT_BOGUS; /* bad packet */ ++ cache_end_insert(); + } +- =20 +- cache_end_insert(); + } + } +=20 +@@ -2083,143 +2223,49 @@ int dnssec_validate_reply(time_t now, struct dns_he= ader *header, size_t plen, ch + return STAT_BOGUS; + } +=20 +- /* OK, all the RRsets validate, now see if we have a NODATA or NXDOMAIN r= eply */ +- if (have_answer) +- return STAT_SECURE; +- =20 +- /* NXDOMAIN or NODATA reply, prove that (name, class1, type1) can't exist= */ +- /* First marshall the NSEC records, if we've not done it previously */ +- if (!nsec_type && !(nsec_type =3D find_nsec_records(header, plen, &nsecs,= &nsec_count, qclass))) +- { +- /* No NSEC records. If we dropped off the end of a CNAME chain, return +- STAT_NO_SIG and the last name is keyname. This is used for proving non-ex= istence +- if DS records in CNAME chains. */ +- if (cname_count =3D=3D CNAME_CHAIN) /* No CNAME chain, return empty n= ame. */ +- *keyname =3D 0; +- else if (!extract_name(header, plen, &qname, keyname, 1, 0)) +- return STAT_BOGUS; +- return STAT_NO_SIG; /* No NSECs, this is probably a dangling CNAME po= inting into +- an unsigned zone. Return STAT_NO_SIG to cause this to be proved. */ +- } +- =20 +- /* Get name of missing answer */ +- if (!extract_name(header, plen, &qname, name, 1, 0)) +- return STAT_BOGUS; +- =20 +- if (nsec_type =3D=3D T_NSEC) +- return prove_non_existence_nsec(header, plen, nsecs, nsec_count, daemon= ->workspacename, keyname, name, qtype, nons); +- else +- return prove_non_existence_nsec3(header, plen, nsecs, nsec_count, daemo= n->workspacename, keyname, name, qtype, NULL, nons); +-} +- +-/* Chase the CNAME chain in the packet until the first record which _doesn'= t validate. +- Needed for proving answer in unsigned space. +- Return STAT_NEED_*=20 +- STAT_BOGUS - error +- STAT_INSECURE - name of first non-secure record in name=20 +-*/ +-int dnssec_chase_cname(time_t now, struct dns_header *header, size_t plen, = char *name, char *keyname) +-{ +- unsigned char *p =3D (unsigned char *)(header+1); +- int type, class, qclass, rdlen, j, rc; +- int cname_count =3D CNAME_CHAIN; +- char *wildname; +- +- /* Get question */ +- if (!extract_name(header, plen, &p, name, 1, 4)) +- return STAT_BOGUS; +- =20 +- p +=3D2; /* type */ +- GETSHORT(qclass, p); +- +- while (1) +- { +- for (j =3D ntohs(header->ancount); j !=3D 0; j--)=20 +- { +- if (!(rc =3D extract_name(header, plen, &p, name, 0, 10))) +- return STAT_BOGUS; /* bad packet */ +- =20 +- GETSHORT(type, p);=20 +- GETSHORT(class, p); +- p +=3D 4; /* TTL */ +- GETSHORT(rdlen, p); +- +- /* Not target, loop */ +- if (rc =3D=3D 2 || qclass !=3D class) +- { +- if (!ADD_RDLEN(header, p, plen, rdlen)) +- return STAT_BOGUS; +- continue; +- } +- =20 +- /* Got to end of CNAME chain. */ +- if (type !=3D T_CNAME) +- return STAT_INSECURE; +- =20 +- /* validate CNAME chain, return if insecure or need more data */ +- rc =3D validate_rrset(now, header, plen, class, type, name, keyname, &wi= ldname, NULL, 0, 0, 0); +- =20 +- if (rc =3D=3D STAT_SECURE_WILDCARD) +- { +- int nsec_type, nsec_count, i; +- unsigned char **nsecs; +- +- /* An attacker can replay a wildcard answer with a different +- answer and overlay a genuine RR. To prove this +- hasn't happened, the answer must prove that +- the genuine record doesn't exist. Check that here. */ +- if (!(nsec_type =3D find_nsec_records(header, plen, &nsecs, &nsec_co= unt, class))) +- return STAT_BOGUS; /* No NSECs or bad packet */ +- =20 +- /* Note that we're called here because something didn't validate in = validate_reply, +- so we can't assume that any NSEC records have been validated. We do them= by steam here */ +- +- for (i =3D 0; i < nsec_count; i++) +- { +- unsigned char *p1 =3D nsecs[i]; +- =20 +- if (!extract_name(header, plen, &p1, daemon->workspacename, 1, 0)) +- return STAT_BOGUS; +- +- rc =3D validate_rrset(now, header, plen, class, nsec_type, daemon->work= spacename, keyname, NULL, NULL, 0, 0, 0); ++ /* OK, all the RRsets validate, now see if we have a missing answer or CN= AME target. */ ++ for (j =3D 0; j = workspacename, keyname, name, type, NULL); +- else +- rc =3D prove_non_existence_nsec3(header, plen, nsecs, nsec_count, daemon-= >workspacename,=20 +- keyname, name, type, wildname, NULL); +- =20 +- if (rc !=3D STAT_SECURE) +- return rc; +- } +- =20 +- if (rc !=3D STAT_SECURE) +- { +- if (rc =3D=3D STAT_NO_SIG) +- rc =3D STAT_INSECURE; +- return rc; +- } ++ }=20 ++ =09 ++ return STAT_BOGUS; /* signed zone, no NSECs */ ++ } ++ } +=20 +- /* Loop down CNAME chain/ */ +- if (!cname_count-- ||=20 +- !extract_name(header, plen, &p, name, 1, 0) || +- !(p =3D skip_questions(header, plen))) +- return STAT_BOGUS; +- =20 +- break; +- } ++ if (nsec_type =3D=3D T_NSEC) ++ rc =3D prove_non_existence_nsec(header, plen, nsecs, nsec_count, daemon-= >workspacename, keyname, name, qtype, nons); ++ else ++ rc =3D prove_non_existence_nsec3(header, plen, nsecs, nsec_count, daemon= ->workspacename, keyname, name, qtype, NULL, nons); +=20 +- /* End of CNAME chain */ +- return STAT_INSECURE;=09 +- } ++ if (rc !=3D STAT_SECURE) ++ return rc; ++ } ++ =20 ++ return STAT_SECURE; + } +=20 +=20 +diff --git a/src/forward.c b/src/forward.c +index b76a974..dd22a62 100644 +--- a/src/forward.c ++++ b/src/forward.c +@@ -23,15 +23,6 @@ static struct frec *lookup_frec_by_sender(unsigned short = id, + static unsigned short get_id(void); + static void free_frec(struct frec *f); +=20 +-#ifdef HAVE_DNSSEC +-static int tcp_key_recurse(time_t now, int status, struct dns_header *heade= r, size_t n,=20 +- int class, char *name, char *keyname, struct server *server, int *key= count); +-static int do_check_sign(struct frec *forward, int status, time_t now, char= *name, char *keyname); +-static int send_check_sign(struct frec *forward, time_t now, struct dns_hea= der *header, size_t plen,=20 +- char *name, char *keyname); +-#endif +- +- + /* Send a UDP packet with its source address set as "source"=20 + unless nowild is true, when we just send it with the kernel default */ + int send_from(int fd, int nowild, char *packet, size_t len,=20 +@@ -825,236 +816,142 @@ void reply_query(int fd, int family, time_t now) + #ifdef HAVE_DNSSEC + if (server && option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FRE= C_CHECKING_DISABLED)) + { +- int status; ++ int status =3D 0; +=20 + /* We've had a reply already, which we're validating. Ignore this duplic= ate */ + if (forward->blocking_query) + return; +- +- if (header->hb3 & HB3_TC) +- { +- /* Truncated answer can't be validated. ++ =20 ++ /* Truncated answer can't be validated. + If this is an answer to a DNSSEC-generated query, we still + need to get the client to retry over TCP, so return + an answer with the TC bit set, even if the actual answer fits. + */ +- status =3D STAT_TRUNCATED; +- } +- else if (forward->flags & FREC_DNSKEY_QUERY) +- status =3D dnssec_validate_by_ds(now, header, n, daemon->namebuff, dae= mon->keyname, forward->class); +- else if (forward->flags & FREC_DS_QUERY) +- { +- status =3D dnssec_validate_ds(now, header, n, daemon->namebuff, daem= on->keyname, forward->class); +- /* Provably no DS, everything below is insecure, even if signatures = are offered */ +- if (status =3D=3D STAT_NO_DS) +- /* We only cache sigs when we've validated a reply. +- Avoid caching a reply with sigs if there's a vaildated break in the=20 +- DS chain, so we don't return replies from cache missing sigs. */ +- status =3D STAT_INSECURE_DS; +- else if (status =3D=3D STAT_NO_SIG) +- { +- if (option_bool(OPT_DNSSEC_NO_SIGN)) +- { +- status =3D send_check_sign(forward, now, header, n, daemon->namebuf= f, daemon->keyname); +- if (status =3D=3D STAT_INSECURE) +- status =3D STAT_INSECURE_DS; +- } +- else +- status =3D STAT_INSECURE_DS; +- } +- else if (status =3D=3D STAT_NO_NS) +- status =3D STAT_BOGUS; +- } +- else if (forward->flags & FREC_CHECK_NOSIGN) +- { +- status =3D dnssec_validate_ds(now, header, n, daemon->namebuff, daem= on->keyname, forward->class); +- if (status !=3D STAT_NEED_KEY) +- status =3D do_check_sign(forward, status, now, daemon->namebuff, daemon->= keyname); +- } +- else ++ if (header->hb3 & HB3_TC) ++ status =3D STAT_TRUNCATED; ++ =20 ++ while (1) + { +- status =3D dnssec_validate_reply(now, header, n, daemon->namebuff, d= aemon->keyname, &forward->class, NULL, NULL); +- if (status =3D=3D STAT_NO_SIG) ++ /* As soon as anything returns BOGUS, we stop and unwind, to do othe= rwise ++ would invite infinite loops, since the answers to DNSKEY and DS queries ++ will not be cached, so they'll be repeated. */ ++ if (status !=3D STAT_BOGUS && status !=3D STAT_TRUNCATED && status != =3D STAT_ABANDONED) + { +- if (option_bool(OPT_DNSSEC_NO_SIGN)) +- status =3D send_check_sign(forward, now, header, n, daemon->namebuff,= daemon->keyname); ++ if (forward->flags & FREC_DNSKEY_QUERY) ++ status =3D dnssec_validate_by_ds(now, header, n, daemon->namebuff, da= emon->keyname, forward->class); ++ else if (forward->flags & FREC_DS_QUERY) ++ status =3D dnssec_validate_ds(now, header, n, daemon->namebuff, daemo= n->keyname, forward->class); + else +- status =3D STAT_INSECURE; ++ status =3D dnssec_validate_reply(now, header, n, daemon->namebuff, da= emon->keyname, &forward->class,=20 ++ option_bool(OPT_DNSSEC_NO_SIGN), NULL, NULL); + } +- } +- /* Can't validate, as we're missing key data. Put this +- answer aside, whilst we get that. */ =20 +- if (status =3D=3D STAT_NEED_DS || status =3D=3D STAT_NEED_DS_NEG || stat= us =3D=3D STAT_NEED_KEY) +- { +- struct frec *new, *orig; +- =20 +- /* Free any saved query */ +- if (forward->stash) +- blockdata_free(forward->stash); +- =20 +- /* Now save reply pending receipt of key data */ +- if (!(forward->stash =3D blockdata_alloc((char *)header, n))) +- return; +- forward->stash_len =3D n; + =20 +- anotherkey: =20 +- /* Find the original query that started it all.... */ +- for (orig =3D forward; orig->dependent; orig =3D orig->dependent); +- +- if (--orig->work_counter =3D=3D 0 || !(new =3D get_new_frec(now, NUL= L, 1))) +- status =3D STAT_INSECURE; +- else ++ /* Can't validate, as we're missing key data. Put this ++ answer aside, whilst we get that. */ =20 ++ if (status =3D=3D STAT_NEED_DS || status =3D=3D STAT_NEED_KEY) + { +- int fd; +- struct frec *next =3D new->next; +- *new =3D *forward; /* copy everything, then overwrite */ +- new->next =3D next; +- new->blocking_query =3D NULL; +- new->sentto =3D server; +- new->rfd4 =3D NULL; +- new->orig_domain =3D NULL; +-#ifdef HAVE_IPV6 +- new->rfd6 =3D NULL; +-#endif +- new->flags &=3D ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_CHECK_NOSIGN= ); ++ struct frec *new, *orig; + =20 +- new->dependent =3D forward; /* to find query awaiting new one. */ +- forward->blocking_query =3D new; /* for garbage cleaning */ +- /* validate routines leave name of required record in daemon->keyname */ +- if (status =3D=3D STAT_NEED_KEY) +- { +- new->flags |=3D FREC_DNSKEY_QUERY;=20 +- nn =3D dnssec_generate_query(header, ((char *) header) + daemon->pa= cket_buff_sz, +- daemon->keyname, forward->class, T_DNSKEY, &server->addr, server->ed= ns_pktsz); +- } +- else=20 +- { +- if (status =3D=3D STAT_NEED_DS_NEG) +- new->flags |=3D FREC_CHECK_NOSIGN; +- else +- new->flags |=3D FREC_DS_QUERY; +- nn =3D dnssec_generate_query(header,((char *) header) + daemon->pac= ket_buff_sz, +- daemon->keyname, forward->class, T_DS, &server->addr, server->edns_p= ktsz); +- } +- if ((hash =3D hash_questions(header, nn, daemon->namebuff))) +- memcpy(new->hash, hash, HASH_SIZE); +- new->new_id =3D get_id(); +- header->id =3D htons(new->new_id); +- /* Save query for retransmission */ +- if (!(new->stash =3D blockdata_alloc((char *)header, nn))) ++ /* Free any saved query */ ++ if (forward->stash) ++ blockdata_free(forward->stash); ++ =20 ++ /* Now save reply pending receipt of key data */ ++ if (!(forward->stash =3D blockdata_alloc((char *)header, n))) + return; +- =20 +- new->stash_len =3D nn; ++ forward->stash_len =3D n; + =20 +- /* Don't resend this. */ +- daemon->srv_save =3D NULL; ++ /* Find the original query that started it all.... */ ++ for (orig =3D forward; orig->dependent; orig =3D orig->dependent); + =20 +- if (server->sfd) +- fd =3D server->sfd->fd; ++ if (--orig->work_counter =3D=3D 0 || !(new =3D get_new_frec(now, NULL, = 1))) ++ status =3D STAT_ABANDONED; + else + { +- fd =3D -1; ++ int fd; ++ struct frec *next =3D new->next; ++ *new =3D *forward; /* copy everything, then overwrite */ ++ new->next =3D next; ++ new->blocking_query =3D NULL; ++ new->sentto =3D server; ++ new->rfd4 =3D NULL; + #ifdef HAVE_IPV6 +- if (server->addr.sa.sa_family =3D=3D AF_INET6) ++ new->rfd6 =3D NULL; ++#endif ++ new->flags &=3D ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY); ++ =20 ++ new->dependent =3D forward; /* to find query awaiting new one. */ ++ forward->blocking_query =3D new; /* for garbage cleaning */ ++ /* validate routines leave name of required record in daemon->keyna= me */ ++ if (status =3D=3D STAT_NEED_KEY) ++ { ++ new->flags |=3D FREC_DNSKEY_QUERY;=20 ++ nn =3D dnssec_generate_query(header, ((char *) header) + daemon->packe= t_buff_sz, ++ daemon->keyname, forward->class, T_DNSKEY, &server->addr, server= ->edns_pktsz); ++ } ++ else=20 + { +- if (new->rfd6 || (new->rfd6 =3D allocate_rfd(AF_INET6))) +- fd =3D new->rfd6->fd; ++ new->flags |=3D FREC_DS_QUERY; ++ nn =3D dnssec_generate_query(header,((char *) header) + daemon->packet= _buff_sz, ++ daemon->keyname, forward->class, T_DS, &server->addr, server->ed= ns_pktsz); + } ++ if ((hash =3D hash_questions(header, nn, daemon->namebuff))) ++ memcpy(new->hash, hash, HASH_SIZE); ++ new->new_id =3D get_id(); ++ header->id =3D htons(new->new_id); ++ /* Save query for retransmission */ ++ new->stash =3D blockdata_alloc((char *)header, nn); ++ new->stash_len =3D nn; ++ =20 ++ /* Don't resend this. */ ++ daemon->srv_save =3D NULL; ++ =20 ++ if (server->sfd) ++ fd =3D server->sfd->fd; + else ++ { ++ fd =3D -1; ++#ifdef HAVE_IPV6 ++ if (server->addr.sa.sa_family =3D=3D AF_INET6) ++ { ++ if (new->rfd6 || (new->rfd6 =3D allocate_rfd(AF_INET6))) ++ fd =3D new->rfd6->fd; ++ } ++ else + #endif ++ { ++ if (new->rfd4 || (new->rfd4 =3D allocate_rfd(AF_INET))) ++ fd =3D new->rfd4->fd; ++ } ++ } ++ =20 ++ if (fd !=3D -1) + { +- if (new->rfd4 || (new->rfd4 =3D allocate_rfd(AF_INET))) +- fd =3D new->rfd4->fd; ++ while (retry_send(sendto(fd, (char *)header, nn, 0,=20 ++ &server->addr.sa,=20 ++ sa_len(&server->addr))));=20 ++ server->queries++; + } +- } +- =20 +- if (fd !=3D -1) +- { +- while (retry_send(sendto(fd, (char *)header, nn, 0,=20 +- &server->addr.sa,=20 +- sa_len(&server->addr))));=20 +- server->queries++; +- } +- =20 ++ } =20 + return; + } +- } + =20 +- /* Ok, we reached far enough up the chain-of-trust that we can validate = something. +- Now wind back down, pulling back answers which wouldn't previously va= lidate +- and validate them with the new data. Note that if an answer needs mul= tiple +- keys to validate, we may find another key is needed, in which case we= set off +- down another branch of the tree. Once we get to the original answer=20 +- (FREC_DNSSEC_QUERY not set) and it validates, return it to the origin= al requestor. */ +- while (forward->dependent) +- { ++ /* Validated original answer, all done. */ ++ if (!forward->dependent) ++ break; ++ =20 ++ /* validated subsdiary query, (and cached result) ++ pop that and return to the previous query we were working on. */ + struct frec *prev =3D forward->dependent; + free_frec(forward); + forward =3D prev; + forward->blocking_query =3D NULL; /* already gone */ + blockdata_retrieve(forward->stash, forward->stash_len, (void *)heade= r); + n =3D forward->stash_len; +- =20 +- if (status =3D=3D STAT_SECURE) +- { +- if (forward->flags & FREC_DNSKEY_QUERY) +- status =3D dnssec_validate_by_ds(now, header, n, daemon->namebuff, da= emon->keyname, forward->class); +- else if (forward->flags & FREC_DS_QUERY) +- { +- status =3D dnssec_validate_ds(now, header, n, daemon->namebuff, dae= mon->keyname, forward->class); +- /* Provably no DS, everything below is insecure, even if signature= s are offered */ +- if (status =3D=3D STAT_NO_DS) +- /* We only cache sigs when we've validated a reply. +- Avoid caching a reply with sigs if there's a vaildated break in the=20 +- DS chain, so we don't return replies from cache missing sigs. */ +- status =3D STAT_INSECURE_DS; +- else if (status =3D=3D STAT_NO_SIG) +- { +- if (option_bool(OPT_DNSSEC_NO_SIGN)) +- { +- status =3D send_check_sign(forward, now, header, n, daemon->nameb= uff, daemon->keyname);=20 +- if (status =3D=3D STAT_INSECURE) +- status =3D STAT_INSECURE_DS; +- } +- else +- status =3D STAT_INSECURE_DS; +- } +- else if (status =3D=3D STAT_NO_NS) +- status =3D STAT_BOGUS; +- } +- else if (forward->flags & FREC_CHECK_NOSIGN) +- { +- status =3D dnssec_validate_ds(now, header, n, daemon->namebuff, dae= mon->keyname, forward->class); +- if (status !=3D STAT_NEED_KEY) +- status =3D do_check_sign(forward, status, now, daemon->namebuff, daemon-= >keyname); +- } +- else +- { +- status =3D dnssec_validate_reply(now, header, n, daemon->namebuff, = daemon->keyname, &forward->class, NULL, NULL);=09 +- if (status =3D=3D STAT_NO_SIG) +- { +- if (option_bool(OPT_DNSSEC_NO_SIGN)) +- status =3D send_check_sign(forward, now, header, n, daemon->namebuff= , daemon->keyname); +- else +- status =3D STAT_INSECURE; +- } +- } +- =20 +- if (status =3D=3D STAT_NEED_DS || status =3D=3D STAT_NEED_DS_NEG || sta= tus =3D=3D STAT_NEED_KEY) +- goto anotherkey; +- } + } ++=09 + =20 + no_cache_dnssec =3D 0; +- +- if (status =3D=3D STAT_INSECURE_DS) +- { +- /* We only cache sigs when we've validated a reply. +- Avoid caching a reply with sigs if there's a vaildated break in the=20 +- DS chain, so we don't return replies from cache missing sigs. */ +- status =3D STAT_INSECURE; +- no_cache_dnssec =3D 1; +- } + =20 + if (status =3D=3D STAT_TRUNCATED) + header->hb3 |=3D HB3_TC; +@@ -1062,7 +959,7 @@ void reply_query(int fd, int family, time_t now) + { + char *result, *domain =3D "result"; + =20 +- if (forward->work_counter =3D=3D 0) ++ if (status =3D=3D STAT_ABANDONED) + { + result =3D "ABANDONED"; + status =3D STAT_BOGUS; +@@ -1072,7 +969,7 @@ void reply_query(int fd, int family, time_t now) + =20 + if (status =3D=3D STAT_BOGUS && extract_request(header, n, daemon->n= amebuff, NULL)) + domain =3D daemon->namebuff; +- ++ =20 + log_query(F_KEYTAG | F_SECSTAT, domain, NULL, result); + } + =20 +@@ -1415,315 +1312,49 @@ void receive_query(struct listener *listen, time_t = now) + } +=20 + #ifdef HAVE_DNSSEC +- +-/* UDP: we've got an unsigned answer, return STAT_INSECURE if we can prove = there's no DS +- and therefore the answer shouldn't be signed, or STAT_BOGUS if it should= be, or=20 +- STAT_NEED_DS_NEG and keyname if we need to do the query. */ +-static int send_check_sign(struct frec *forward, time_t now, struct dns_hea= der *header, size_t plen,=20 +- char *name, char *keyname) +-{ +- int status =3D dnssec_chase_cname(now, header, plen, name, keyname); +- =20 +- if (status !=3D STAT_INSECURE) +- return status; +- +- /* Store the domain we're trying to check. */ +- forward->name_start =3D strlen(name); +- forward->name_len =3D forward->name_start + 1; +- if (!(forward->orig_domain =3D blockdata_alloc(name, forward->name_len))) +- return STAT_BOGUS; +- =20 +- return do_check_sign(forward, 0, now, name, keyname); +-} +-=20 +-/* We either have a a reply (header non-NULL, or we need to start by lookin= g in the cache */=20 +-static int do_check_sign(struct frec *forward, int status, time_t now, char= *name, char *keyname) +-{ +- /* get domain we're checking back from blockdata store, it's stored on th= e original query. */ +- while (forward->dependent && !forward->orig_domain) +- forward =3D forward->dependent; +- +- blockdata_retrieve(forward->orig_domain, forward->name_len, name); +- =20 +- while (1) +- { +- char *p;=20 +- +- if (status =3D=3D 0) +- { +- struct crec *crecp; +- +- /* Haven't received answer, see if in cache */ +- if (!(crecp =3D cache_find_by_name(NULL, &name[forward->name_start], now= , F_DS))) +- { +- /* put name of DS record we're missing into keyname */ +- strcpy(keyname, &name[forward->name_start]); +- /* and wait for reply to arrive */ +- return STAT_NEED_DS_NEG; +- } +- +- /* F_DNSSECOK misused in DS cache records to non-existance of NS record = */=20 +- if (!(crecp->flags & F_NEG)) +- status =3D STAT_SECURE; +- else if (crecp->flags & F_DNSSECOK) +- status =3D STAT_NO_DS; +- else +- status =3D STAT_NO_NS; +- } +- =20 +- /* Have entered non-signed part of DNS tree. */=20 +- if (status =3D=3D STAT_NO_DS) +- return forward->dependent ? STAT_INSECURE_DS : STAT_INSECURE; +- +- if (status =3D=3D STAT_BOGUS) +- return STAT_BOGUS; +- +- if (status =3D=3D STAT_NO_SIG && *keyname !=3D 0) +- { +- /* There is a validated CNAME chain that doesn't end in a DS record. Sta= rt=20 +- the search again in that domain. */ +- blockdata_free(forward->orig_domain); +- forward->name_start =3D strlen(keyname); +- forward->name_len =3D forward->name_start + 1; +- if (!(forward->orig_domain =3D blockdata_alloc(keyname, forward->name_le= n))) +- return STAT_BOGUS; +- =20 +- strcpy(name, keyname); +- status =3D 0; /* force to cache when we iterate. */ +- continue; +- } +- =20 +- /* There's a proven DS record, or we're within a zone, where there do= esn't need +- to be a DS record. Add a name and try again.=20 +- If we've already tried the whole name, then fail */ +- +- if (forward->name_start =3D=3D 0) +- return STAT_BOGUS; +- =20 +- for (p =3D &name[forward->name_start-2]; (*p !=3D '.') && (p !=3D nam= e); p--); +- =20 +- if (p !=3D name) +- p++; +- =20 +- forward->name_start =3D p - name; +- status =3D 0; /* force to cache when we iterate. */ +- } +-} +- +-/* Move down from the root, until we find a signed non-existance of a DS, i= n which case +- an unsigned answer is OK, or we find a signed DS, in which case there sh= ould be=20 +- a signature, and the answer is BOGUS */ +-static int tcp_check_for_unsigned_zone(time_t now, struct dns_header *head= er, size_t plen, int class, char *name,=20 +- char *keyname, struct server *server, int *keycount) +-{ +- size_t m; +- unsigned char *packet, *payload; +- u16 *length; +- int status, name_len; +- struct blockdata *block; +- +- char *name_start; +- +- /* Get first insecure entry in CNAME chain */ +- status =3D tcp_key_recurse(now, STAT_CHASE_CNAME, header, plen, class, na= me, keyname, server, keycount); +- if (status =3D=3D STAT_BOGUS) +- return STAT_BOGUS; +- =20 +- if (!(packet =3D whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16))= )) +- return STAT_BOGUS; +- =20 +- payload =3D &packet[2]; +- header =3D (struct dns_header *)payload; +- length =3D (u16 *)packet; +- +- /* Stash the name away, since the buffer will be trashed when we recurse = */ +- name_len =3D strlen(name) + 1; +- name_start =3D name + name_len - 1; +- =20 +- if (!(block =3D blockdata_alloc(name, name_len))) +- { +- free(packet); +- return STAT_BOGUS; +- } +- +- while (1) +- { +- unsigned char c1, c2; +- struct crec *crecp; +- +- if (--(*keycount) =3D=3D 0) +- { +- free(packet); +- blockdata_free(block); +- return STAT_BOGUS; =20 +- } +- =20 +- while ((crecp =3D cache_find_by_name(NULL, name_start, now, F_DS))) +- { =20 +- if ((crecp->flags & F_NEG) && (crecp->flags & F_DNSSECOK)) +- { +- /* Found a secure denial of DS - delegation is indeed insecure */ +- free(packet); +- blockdata_free(block); +- return STAT_INSECURE; +- } +- =20 +- /* Here, either there's a secure DS, or no NS and no DS, and therefore n= o delegation. +- Add another label and continue. */ +-=20 +- if (name_start =3D=3D name) +- { +- free(packet); +- blockdata_free(block); +- return STAT_BOGUS; /* run out of labels */ +- } +- =20 +- name_start -=3D 2; +- while (*name_start !=3D '.' && name_start !=3D name)=20 +- name_start--; +- if (name_start !=3D name) +- name_start++; +- } +- =20 +- /* Can't find it in the cache, have to send a query */ +- +- m =3D dnssec_generate_query(header, ((char *) header) + 65536, name_s= tart, class, T_DS, &server->addr, server->edns_pktsz); +- =20 +- *length =3D htons(m); +- =20 +- if (read_write(server->tcpfd, packet, m + sizeof(u16), 0) && +- read_write(server->tcpfd, &c1, 1, 1) && +- read_write(server->tcpfd, &c2, 1, 1) && +- read_write(server->tcpfd, payload, (c1 << 8) | c2, 1)) +- { +- m =3D (c1 << 8) | c2; +- =20 +- /* Note this trashes all three name workspaces */ +- status =3D tcp_key_recurse(now, STAT_NEED_DS_NEG, header, m, class, name= , keyname, server, keycount); +- =20 +- if (status =3D=3D STAT_NO_DS) +- { +- /* Found a secure denial of DS - delegation is indeed insecure */ +- free(packet); +- blockdata_free(block); +- return STAT_INSECURE; +- } +- =20 +- if (status =3D=3D STAT_NO_SIG && *keyname !=3D 0) +- { +- /* There is a validated CNAME chain that doesn't end in a DS record.= Start=20 +- the search again in that domain. */ +- blockdata_free(block); +- name_len =3D strlen(keyname) + 1; +- name_start =3D name + name_len - 1; +- =20 +- if (!(block =3D blockdata_alloc(keyname, name_len))) +- return STAT_BOGUS; +- =20 +- strcpy(name, keyname); +- continue; +- } +- =20 +- if (status =3D=3D STAT_BOGUS) +- { +- free(packet); +- blockdata_free(block); +- return STAT_BOGUS; +- } +- =20 +- /* Here, either there's a secure DS, or no NS and no DS, and therefore n= o delegation. +- Add another label and continue. */ +- =20 +- /* Get name we're checking back. */ +- blockdata_retrieve(block, name_len, name); +- =20 +- if (name_start =3D=3D name) +- { +- free(packet); +- blockdata_free(block); +- return STAT_BOGUS; /* run out of labels */ +- } +- =20 +- name_start -=3D 2; +- while (*name_start !=3D '.' && name_start !=3D name)=20 +- name_start--; +- if (name_start !=3D name) +- name_start++; +- } +- else +- { +- /* IO failure */ +- free(packet); +- blockdata_free(block); +- return STAT_BOGUS; /* run out of labels */ +- } +- } +-} +- + static int tcp_key_recurse(time_t now, int status, struct dns_header *heade= r, size_t n,=20 + int class, char *name, char *keyname, struct server *server, int *key= count) + { + /* Recurse up the key heirarchy */ + int new_status; ++ unsigned char *packet =3D NULL; ++ size_t m;=20 ++ unsigned char *payload =3D NULL; ++ struct dns_header *new_header =3D NULL; ++ u16 *length =3D NULL; ++ unsigned char c1, c2; +=20 +- /* limit the amount of work we do, to avoid cycling forever on loops in t= he DNS */ +- if (--(*keycount) =3D=3D 0) +- return STAT_INSECURE; +- =20 +- if (status =3D=3D STAT_NEED_KEY) +- new_status =3D dnssec_validate_by_ds(now, header, n, name, keyname, cla= ss); +- else if (status =3D=3D STAT_NEED_DS || status =3D=3D STAT_NEED_DS_NEG) ++ while (1) + { +- new_status =3D dnssec_validate_ds(now, header, n, name, keyname, clas= s); +- if (status =3D=3D STAT_NEED_DS) ++ /* limit the amount of work we do, to avoid cycling forever on loops = in the DNS */ ++ if (--(*keycount) =3D=3D 0) ++ new_status =3D STAT_ABANDONED; ++ else if (status =3D=3D STAT_NEED_KEY) ++ new_status =3D dnssec_validate_by_ds(now, header, n, name, keyname, class); ++ else if (status =3D=3D STAT_NEED_DS) ++ new_status =3D dnssec_validate_ds(now, header, n, name, keyname, class); ++ else=20 ++ new_status =3D dnssec_validate_reply(now, header, n, name, keyname, &class= , option_bool(OPT_DNSSEC_NO_SIGN), NULL, NULL); ++ =20 ++ if (new_status !=3D STAT_NEED_DS && new_status !=3D STAT_NEED_KEY) ++ break; ++ ++ /* Can't validate because we need a key/DS whose name now in keyname. ++ Make query for same, and recurse to validate */ ++ if (!packet) + { +- if (new_status =3D=3D STAT_NO_DS) +- new_status =3D STAT_INSECURE_DS; +- if (new_status =3D=3D STAT_NO_SIG) +- { +- if (option_bool(OPT_DNSSEC_NO_SIGN)) +- { +- new_status =3D tcp_check_for_unsigned_zone(now, header, n, class, name, = keyname, server, keycount); +- if (new_status =3D=3D STAT_INSECURE) +- new_status =3D STAT_INSECURE_DS; +- } +- else +- new_status =3D STAT_INSECURE_DS; +- } +- else if (new_status =3D=3D STAT_NO_NS) +- new_status =3D STAT_BOGUS; ++ packet =3D whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16)); ++ payload =3D &packet[2]; ++ new_header =3D (struct dns_header *)payload; ++ length =3D (u16 *)packet; + } +- } +- else if (status =3D=3D STAT_CHASE_CNAME) +- new_status =3D dnssec_chase_cname(now, header, n, name, keyname); +- else=20 +- { +- new_status =3D dnssec_validate_reply(now, header, n, name, keyname, &= class, NULL, NULL); + =20 +- if (new_status =3D=3D STAT_NO_SIG) ++ if (!packet) + { +- if (option_bool(OPT_DNSSEC_NO_SIGN)) +- new_status =3D tcp_check_for_unsigned_zone(now, header, n, class, name= , keyname, server, keycount); +- else +- new_status =3D STAT_INSECURE; ++ new_status =3D STAT_ABANDONED; ++ break; + } +- } +- +- /* Can't validate because we need a key/DS whose name now in keyname. +- Make query for same, and recurse to validate */ +- if (new_status =3D=3D STAT_NEED_DS || new_status =3D=3D STAT_NEED_KEY) +- { +- size_t m;=20 +- unsigned char *packet =3D whine_malloc(65536 + MAXDNAME + RRFIXEDSZ += sizeof(u16)); +- unsigned char *payload =3D &packet[2]; +- struct dns_header *new_header =3D (struct dns_header *)payload; +- u16 *length =3D (u16 *)packet; +- unsigned char c1, c2; +- =20 +- if (!packet) +- return STAT_INSECURE; +- +- another_tcp_key: ++ =20 + m =3D dnssec_generate_query(new_header, ((char *) new_header) + 65536= , keyname, class,=20 + new_status =3D=3D STAT_NEED_KEY ? T_DNSKEY : T_DS, &server->addr, serve= r->edns_pktsz); + =20 +@@ -1733,65 +1364,22 @@ static int tcp_key_recurse(time_t now, int status, s= truct dns_header *header, si + !read_write(server->tcpfd, &c1, 1, 1) || + !read_write(server->tcpfd, &c2, 1, 1) || + !read_write(server->tcpfd, payload, (c1 << 8) | c2, 1)) +- new_status =3D STAT_INSECURE; +- else + { +- m =3D (c1 << 8) | c2; +- =20 +- new_status =3D tcp_key_recurse(now, new_status, new_header, m, class, na= me, keyname, server, keycount); +- =20 +- if (new_status =3D=3D STAT_SECURE) +- { +- /* Reached a validated record, now try again at this level. +- Note that we may get ANOTHER NEED_* if an answer needs more than one key. +- If so, go round again. */ +- =20 +- if (status =3D=3D STAT_NEED_KEY) +- new_status =3D dnssec_validate_by_ds(now, header, n, name, keyname, class= ); +- else if (status =3D=3D STAT_NEED_DS || status =3D=3D STAT_NEED_DS_NE= G) +- { +- new_status =3D dnssec_validate_ds(now, header, n, name, keyname, class); +- if (status =3D=3D STAT_NEED_DS) +- { +- if (new_status =3D=3D STAT_NO_DS) +- new_status =3D STAT_INSECURE_DS; +- else if (new_status =3D=3D STAT_NO_SIG) +- { +- if (option_bool(OPT_DNSSEC_NO_SIGN)) +- { +- new_status =3D tcp_check_for_unsigned_zone(now, header, n, class, = name, keyname, server, keycount);=20 +- if (new_status =3D=3D STAT_INSECURE) +- new_status =3D STAT_INSECURE_DS; +- } +- else +- new_status =3D STAT_INSECURE_DS; +- } +- else if (new_status =3D=3D STAT_NO_NS) +- new_status =3D STAT_BOGUS; +- } +- } +- else if (status =3D=3D STAT_CHASE_CNAME) +- new_status =3D dnssec_chase_cname(now, header, n, name, keyname); +- else=20 +- { +- new_status =3D dnssec_validate_reply(now, header, n, name, keyname, &cl= ass, NULL, NULL); +- =20 +- if (new_status =3D=3D STAT_NO_SIG) +- { +- if (option_bool(OPT_DNSSEC_NO_SIGN)) +- new_status =3D tcp_check_for_unsigned_zone(now, header, n, class, name, = keyname, server, keycount); +- else +- new_status =3D STAT_INSECURE; +- } +- } +- =20 +- if (new_status =3D=3D STAT_NEED_DS || new_status =3D=3D STAT_NEED_KE= Y) +- goto another_tcp_key; +- } ++ new_status =3D STAT_ABANDONED; ++ break; + } ++ ++ m =3D (c1 << 8) | c2; + =20 +- free(packet); ++ new_status =3D tcp_key_recurse(now, new_status, new_header, m, class,= name, keyname, server, keycount); ++ =20 ++ if (new_status !=3D STAT_OK) ++ break; + } ++ ++ if (packet) ++ free(packet); ++ =20 + return new_status; + } + #endif +@@ -2075,19 +1663,10 @@ unsigned char *tcp_request(int confd, time_t now, + if (option_bool(OPT_DNSSEC_VALID) && !checking_disabled) + { + int keycount =3D DNSSEC_WORK; /* Limit to number of DNSSEC questions, = to catch loops and avoid filling cache. */ +- int status =3D tcp_key_recurse(now, STAT_TRUNCATED, header, m, 0, daem= on->namebuff, daemon->keyname, last_server, &keycount); ++ int status =3D tcp_key_recurse(now, STAT_OK, header, m, 0, daemon->nam= ebuff, daemon->keyname, last_server, &keycount); + char *result, *domain =3D "result"; +- +- if (status =3D=3D STAT_INSECURE_DS) +- { +- /* We only cache sigs when we've validated a reply. +- Avoid caching a reply with sigs if there's a vaildated break in the=20 +- DS chain, so we don't return replies from cache missing sigs. */ +- status =3D STAT_INSECURE; +- no_cache_dnssec =3D 1; +- } + =20 +- if (keycount =3D=3D 0) ++ if (status =3D=3D STAT_ABANDONED) + { + result =3D "ABANDONED"; + status =3D STAT_BOGUS; +@@ -2179,7 +1758,6 @@ static struct frec *allocate_frec(time_t now) + f->dependent =3D NULL; + f->blocking_query =3D NULL; + f->stash =3D NULL; +- f->orig_domain =3D NULL; + #endif + daemon->frec_list =3D f; + } +@@ -2248,12 +1826,6 @@ static void free_frec(struct frec *f) + f->stash =3D NULL; + } +=20 +- if (f->orig_domain) +- { +- blockdata_free(f->orig_domain); +- f->orig_domain =3D NULL; +- } +- + /* Anything we're waiting on is pointless now, too */ + if (f->blocking_query) + free_frec(f->blocking_query); +@@ -2281,14 +1853,23 @@ struct frec *get_new_frec(time_t now, int *wait, int= force) + target =3D f; + else=20 + { +- if (difftime(now, f->time) >=3D 4*TIMEOUT) +- { +- free_frec(f); +- target =3D f; +- } +-=09 +- if (!oldest || difftime(f->time, oldest->time) <=3D 0) +- oldest =3D f; ++#ifdef HAVE_DNSSEC ++ /* Don't free DNSSEC sub-queries here, as we may end up with ++ dangling references to them. They'll go when their "real" query=20 ++ is freed. */ ++ if (!f->dependent) ++#endif ++ { ++ if (difftime(now, f->time) >=3D 4*TIMEOUT) ++ { ++ free_frec(f); ++ target =3D f; ++ } ++ =20 ++ =20 ++ if (!oldest || difftime(f->time, oldest->time) <=3D 0) ++ oldest =3D f; ++ } + } +=20 + if (target) +--=20 +1.7.10.4 + diff --git a/src/patches/dnsmasq/017-Abandon_caching_RRSIGs_and_returning_the= m_from_cache.patch b/src/patches/dnsmasq/017-Abandon_caching_RRSIGs_and_retur= ning_them_from_cache.patch new file mode 100644 index 0000000..5ffaf97 --- /dev/null +++ b/src/patches/dnsmasq/017-Abandon_caching_RRSIGs_and_returning_them_from_= cache.patch @@ -0,0 +1,612 @@ +From 93be5b1e023b0c661e1ec2cd6d811a8ec9055c49 Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Tue, 15 Dec 2015 12:04:40 +0000 +Subject: [PATCH] Abandon caching RRSIGs and returning them from cache. + +The list of exceptions to being able to locally answer +cached data for validated records when DNSSEC data is requested +was getting too long, so don't ever do that. This means +that the cache no longer has to hold RRSIGS and allows +us to lose lots of code. Note that cached validated +answers are still returned as long as do=3D0 +--- + src/cache.c | 38 ++--------- + src/dnsmasq.h | 10 +-- + src/dnssec.c | 94 ++++----------------------- + src/rfc1035.c | 197 ++++++------------------------------------------------= --- + 4 files changed, 42 insertions(+), 297 deletions(-) + +diff --git a/src/cache.c b/src/cache.c +index 1b76b67..51ba7cc 100644 +--- a/src/cache.c ++++ b/src/cache.c +@@ -189,12 +189,7 @@ static void cache_hash(struct crec *crecp) + static void cache_blockdata_free(struct crec *crecp) + { + if (crecp->flags & F_DNSKEY) +- { +- if (crecp->flags & F_DS) +- blockdata_free(crecp->addr.sig.keydata); +- else +- blockdata_free(crecp->addr.key.keydata); +- } ++ blockdata_free(crecp->addr.key.keydata); + else if ((crecp->flags & F_DS) && !(crecp->flags & F_NEG)) + blockdata_free(crecp->addr.ds.keydata); + } +@@ -369,13 +364,8 @@ static struct crec *cache_scan_free(char *name, struct = all_addr *addr, time_t no + } + =20 + #ifdef HAVE_DNSSEC +- /* Deletion has to be class-sensitive for DS, DNSKEY, RRSIG, also=20 +- type-covered sensitive for RRSIG */ +- if ((flags & (F_DNSKEY | F_DS)) && +- (flags & (F_DNSKEY | F_DS)) =3D=3D (crecp->flags & (F_DNSKEY | F_DS)) && +- crecp->uid =3D=3D addr->addr.dnssec.class && +- (!((flags & (F_DS | F_DNSKEY)) =3D=3D (F_DS | F_DNSKEY)) ||=20 +- crecp->addr.sig.type_covered =3D=3D addr->addr.dnssec.type)) ++ /* Deletion has to be class-sensitive for DS and DNSKEY */ ++ if ((flags & crecp->flags & (F_DNSKEY | F_DS)) && crecp->uid =3D=3D = addr->addr.dnssec.class) + { + if (crecp->flags & F_CONFIG) + return crecp; +@@ -532,13 +522,9 @@ struct crec *cache_insert(char *name, struct all_addr *= addr, + struct all_addr free_addr =3D new->addr.addr;; +=20 + #ifdef HAVE_DNSSEC +- /* For DNSSEC records, addr holds class and type_covered for RRSIG */ ++ /* For DNSSEC records, addr holds class. */ + if (new->flags & (F_DS | F_DNSKEY)) +- { +- free_addr.addr.dnssec.class =3D new->uid; +- if ((new->flags & (F_DS | F_DNSKEY)) =3D=3D (F_DS | F_DNSKEY)) +- free_addr.addr.dnssec.type =3D new->addr.sig.type_covered; +- } ++ free_addr.addr.dnssec.class =3D new->uid; + #endif + =20 + free_avail =3D 1; /* Must be free space now. */ +@@ -653,9 +639,6 @@ struct crec *cache_find_by_name(struct crec *crecp, char= *name, time_t now, unsi + if (!is_expired(now, crecp) && !is_outdated_cname_pointer(crecp)) + { + if ((crecp->flags & F_FORWARD) &&=20 +-#ifdef HAVE_DNSSEC +- (((crecp->flags & (F_DNSKEY | F_DS)) =3D=3D (prot & (F_DNSKEY | F_DS)))= || (prot & F_NSIGMATCH)) && +-#endif + (crecp->flags & prot) && + hostname_isequal(cache_get_name(crecp), name)) + { +@@ -713,9 +696,6 @@ struct crec *cache_find_by_name(struct crec *crecp, char= *name, time_t now, unsi +=20 + if (ans &&=20 + (ans->flags & F_FORWARD) && +-#ifdef HAVE_DNSSEC +- (((ans->flags & (F_DNSKEY | F_DS)) =3D=3D (prot & (F_DNSKEY | F_DS)))= || (prot & F_NSIGMATCH)) && +-#endif + (ans->flags & prot) && =20 + hostname_isequal(cache_get_name(ans), name)) + return ans; +@@ -1472,11 +1452,7 @@ void dump_cache(time_t now) + #ifdef HAVE_DNSSEC + else if (cache->flags & F_DS) + { +- if (cache->flags & F_DNSKEY) +- /* RRSIG */ +- sprintf(a, "%5u %3u %s", cache->addr.sig.keytag, +- cache->addr.sig.algo, querystr("", cache->addr.sig.type_covered)); +- else if (!(cache->flags & F_NEG)) ++ if (!(cache->flags & F_NEG)) + sprintf(a, "%5u %3u %3u", cache->addr.ds.keytag, + cache->addr.ds.algo, cache->addr.ds.digest); + } +@@ -1502,8 +1478,6 @@ void dump_cache(time_t now) + else if (cache->flags & F_CNAME) + t =3D "C"; + #ifdef HAVE_DNSSEC +- else if ((cache->flags & (F_DS | F_DNSKEY)) =3D=3D (F_DS | F_DNSKEY)) +- t =3D "G"; /* DNSKEY and DS set -> RRISG */ + else if (cache->flags & F_DS) + t =3D "S"; + else if (cache->flags & F_DNSKEY) +diff --git a/src/dnsmasq.h b/src/dnsmasq.h +index 023a1cf..4344cae 100644 +--- a/src/dnsmasq.h ++++ b/src/dnsmasq.h +@@ -398,14 +398,9 @@ struct crec { + unsigned char algo; + unsigned char digest;=20 + } ds;=20 +- struct { +- struct blockdata *keydata; +- unsigned short keylen, type_covered, keytag; +- char algo; +- } sig; + } addr; + time_t ttd; /* time to die */ +- /* used as class if DNSKEY/DS/RRSIG, index to source for F_HOSTS */ ++ /* used as class if DNSKEY/DS, index to source for F_HOSTS */ + unsigned int uid;=20 + unsigned short flags; + union { +@@ -445,8 +440,7 @@ struct crec { + #define F_SECSTAT (1u<<24) + #define F_NO_RR (1u<<25) + #define F_IPSET (1u<<26) +-#define F_NSIGMATCH (1u<<27) +-#define F_NOEXTRA (1u<<28) ++#define F_NOEXTRA (1u<<27) +=20 + /* Values of uid in crecs with F_CONFIG bit set. */ + #define SRC_INTERFACE 0 +diff --git a/src/dnssec.c b/src/dnssec.c +index de7b335..1ae03a6 100644 +--- a/src/dnssec.c ++++ b/src/dnssec.c +@@ -1004,7 +1004,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_heade= r *header, size_t plen, ch + { + unsigned char *psave, *p =3D (unsigned char *)(header+1); + struct crec *crecp, *recp1; +- int rc, j, qtype, qclass, ttl, rdlen, flags, algo, valid, keytag, type_co= vered; ++ int rc, j, qtype, qclass, ttl, rdlen, flags, algo, valid, keytag; + struct blockdata *key; + struct all_addr a; +=20 +@@ -1115,7 +1115,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_heade= r *header, size_t plen, ch +=20 + if (valid) + { +- /* DNSKEY RRset determined to be OK, now cache it and the RRsigs that= sign it. */ ++ /* DNSKEY RRset determined to be OK, now cache it. */ + cache_start_insert(); + =20 + p =3D skip_questions(header, plen); +@@ -1155,7 +1155,10 @@ int dnssec_validate_by_ds(time_t now, struct dns_head= er *header, size_t plen, ch + if ((key =3D blockdata_alloc((char*)p, rdlen - 4))) + { + if (!(recp1 =3D cache_insert(name, &a, now, ttl, F_FORWARD | F_DNSK= EY | F_DNSSECOK))) +- blockdata_free(key); ++ { ++ blockdata_free(key); ++ return STAT_BOGUS; ++ } + else + { + a.addr.keytag =3D keytag; +@@ -1169,38 +1172,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_head= er *header, size_t plen, ch + } + } + } +- else if (qtype =3D=3D T_RRSIG) +- { +- /* RRSIG, cache if covers DNSKEY RRset */ +- if (rdlen < 18) +- return STAT_BOGUS; /* bad packet */ +- =20 +- GETSHORT(type_covered, p); +- =20 +- if (type_covered =3D=3D T_DNSKEY) +- { +- a.addr.dnssec.class =3D class; +- a.addr.dnssec.type =3D type_covered; +- =20 +- algo =3D *p++; +- p +=3D 13; /* labels, orig_ttl, expiration, inception */ +- GETSHORT(keytag, p);=09 +- if ((key =3D blockdata_alloc((char*)psave, rdlen))) +- { +- if (!(crecp =3D cache_insert(name, &a, now, ttl, F_FORWARD | F_DNSKEY= | F_DS))) +- blockdata_free(key); +- else +- { +- crecp->addr.sig.keydata =3D key; +- crecp->addr.sig.keylen =3D rdlen; +- crecp->addr.sig.keytag =3D keytag; +- crecp->addr.sig.type_covered =3D type_covered; +- crecp->addr.sig.algo =3D algo; +- } +- } +- } +- } +- =20 ++ =20 + p =3D psave; + } +=20 +@@ -1326,7 +1298,8 @@ int dnssec_validate_ds(time_t now, struct dns_header *= header, size_t plen, char + cache_start_insert(); + =20 + a.addr.dnssec.class =3D class; +- cache_insert(name, &a, now, ttl, flags); ++ if (!cache_insert(name, &a, now, ttl, flags)) ++ return STAT_BOGUS; + =20 + cache_end_insert(); =20 + =20 +@@ -2028,14 +2001,13 @@ int dnssec_validate_reply(time_t now, struct dns_hea= der *header, size_t plen, ch + /* Not done, validate now */ + if (j =3D=3D i) + { +- int ttl, keytag, algo, digest, type_covered, sigcnt, rrcnt; ++ int ttl, keytag, algo, digest, sigcnt, rrcnt; + unsigned char *psave; + struct all_addr a; + struct blockdata *key; + struct crec *crecp; + char *wildname; +- int have_wildcard =3D 0; +- ++ =20 + if (!explore_rrset(header, plen, class1, type1, name, keyname, &sigc= nt, &rrcnt)) + return STAT_BOGUS; +=20 +@@ -2096,8 +2068,6 @@ int dnssec_validate_reply(time_t now, struct dns_heade= r *header, size_t plen, ch + =20 + if (rc =3D=3D STAT_SECURE_WILDCARD) + { +- have_wildcard =3D 1; +- =20 + /* An attacker replay a wildcard answer with a different + answer and overlay a genuine RR. To prove this + hasn't happened, the answer must prove that +@@ -2119,7 +2089,7 @@ int dnssec_validate_reply(time_t now, struct dns_heade= r *header, size_t plen, ch + return rc; + }=20 + =20 +- /* Cache RRsigs in answer section, and if we just validated a DS RRset,= cache it */ ++ /* If we just validated a DS RRset, cache it */ + /* Also note if the RRset is the answer to the question, or the target = of a CNAME */ + cache_start_insert(); + =20 +@@ -2168,45 +2138,7 @@ int dnssec_validate_reply(time_t now, struct dns_head= er *header, size_t plen, ch + }=20 + } + } +- else if (type2 =3D=3D T_RRSIG) +- { +- if (rdlen2 < 18) +- return STAT_BOGUS; /* bad packet */ +- =20 +- GETSHORT(type_covered, p2); +- =20 +- if (type_covered =3D=3D type1 &&=20 +- (type_covered =3D=3D T_A || type_covered =3D=3D T_AAAA || +- type_covered =3D=3D T_CNAME || type_covered =3D=3D T_DS ||=20 +- type_covered =3D=3D T_DNSKEY || type_covered =3D=3D T_PTR))=20 +- { +- a.addr.dnssec.type =3D type_covered; +- a.addr.dnssec.class =3D class1; +- =20 +- algo =3D *p2++; +- p2 +=3D 13; /* labels, orig_ttl, expiration, inception */ +- GETSHORT(keytag, p2); +- =20 +- /* We don't cache sigs for wildcard answers, because to reproduce the +- answer from the cache will require one or more NSEC/NSEC3 records = +- which we don't cache. The lack of the RRSIG ensures that a query f= or +- this RRset asking for a secure answer will always be forwarded. */ +- if (!have_wildcard && (key =3D blockdata_alloc((char*)psave, rdlen2))) +- { +- if (!(crecp =3D cache_insert(name, &a, now, ttl, F_FORWARD | F_D= NSKEY | F_DS))) +- blockdata_free(key); +- else +- { +- crecp->addr.sig.keydata =3D key; +- crecp->addr.sig.keylen =3D rdlen2; +- crecp->addr.sig.keytag =3D keytag; +- crecp->addr.sig.type_covered =3D type_covered; +- crecp->addr.sig.algo =3D algo; +- } +- } +- } +- } +- =20 ++ + p2 =3D psave; + } + =20 +diff --git a/src/rfc1035.c b/src/rfc1035.c +index 4eb1772..def8fa0 100644 +--- a/src/rfc1035.c ++++ b/src/rfc1035.c +@@ -1275,11 +1275,9 @@ int check_for_local_domain(char *name, time_t now) + struct naptr *naptr; +=20 + /* Note: the call to cache_find_by_name is intended to find any record wh= ich matches +- ie A, AAAA, CNAME, DS. Because RRSIG records are marked by setting bot= h F_DS and F_DNSKEY, +- cache_find_by name ordinarily only returns records with an exact match= on those bits (ie +- for the call below, only DS records). The F_NSIGMATCH bit changes this= behaviour */ ++ ie A, AAAA, CNAME. */ +=20 +- if ((crecp =3D cache_find_by_name(NULL, name, now, F_IPV4 | F_IPV6 | F_CN= AME | F_DS | F_NO_RR | F_NSIGMATCH)) && ++ if ((crecp =3D cache_find_by_name(NULL, name, now, F_IPV4 | F_IPV6 | F_CN= AME |F_NO_RR)) && + (crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG))) + return 1; + =20 +@@ -1566,9 +1564,11 @@ size_t answer_request(struct dns_header *header, char= *limit, size_t qlen, + GETSHORT(flags, pheader); + =20 + if ((sec_reqd =3D flags & 0x8000)) +- *do_bit =3D 1;/* do bit */=20 ++ { ++ *do_bit =3D 1;/* do bit */=20 ++ *ad_reqd =3D 1; ++ } +=20 +- *ad_reqd =3D 1; + dryrun =3D 1; + } +=20 +@@ -1636,98 +1636,6 @@ size_t answer_request(struct dns_header *header, char= *limit, size_t qlen, + } + } +=20 +-#ifdef HAVE_DNSSEC +- if (option_bool(OPT_DNSSEC_VALID) && (qtype =3D=3D T_DNSKEY || qtype = =3D=3D T_DS)) +- { +- int gotone =3D 0; +- struct blockdata *keydata; +- +- /* Do we have RRSIG? Can't do DS or DNSKEY otherwise. */ +- if (sec_reqd) +- { +- crecp =3D NULL; +- while ((crecp =3D cache_find_by_name(crecp, name, now, F_DNSKEY | F_= DS))) +- if (crecp->uid =3D=3D qclass && crecp->addr.sig.type_covered =3D=3D qtype) +- break; +- } +- =20 +- if (!sec_reqd || crecp) +- { +- if (qtype =3D=3D T_DS) +- { +- crecp =3D NULL; +- while ((crecp =3D cache_find_by_name(crecp, name, now, F_DS))) +- if (crecp->uid =3D=3D qclass) +- { +- gotone =3D 1;=20 +- if (!dryrun) +- { +- if (crecp->flags & F_NEG) +- { +- if (crecp->flags & F_NXDOMAIN) +- nxdomain =3D 1; +- log_query(F_UPSTREAM, name, NULL, "no DS");=09 +- } +- else if ((keydata =3D blockdata_retrieve(crecp->addr.ds.keydata, cre= cp->addr.ds.keylen, NULL))) +- { =20 +- struct all_addr a; +- a.addr.keytag =3D crecp->addr.ds.keytag; +- log_query(F_KEYTAG | (crecp->flags & F_CONFIG), name, &a, "DS keytag %u= "); +- if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,=20 +- crec_ttl(crecp, now), &nameoffset, +- T_DS, qclass, "sbbt",=20 +- crecp->addr.ds.keytag, crecp->addr.ds.algo,=20 +- crecp->addr.ds.digest, crecp->addr.ds.keylen, keydata)) +- anscount++; +- =09 +- }=20 +- } +- } +- } +- else /* DNSKEY */ +- { +- crecp =3D NULL; +- while ((crecp =3D cache_find_by_name(crecp, name, now, F_DNSKEY))) +- if (crecp->uid =3D=3D qclass) +- { +- gotone =3D 1; +- if (!dryrun && (keydata =3D blockdata_retrieve(crecp->addr.key.keydata, = crecp->addr.key.keylen, NULL))) +- { =20 +- struct all_addr a; +- a.addr.keytag =3D crecp->addr.key.keytag; +- log_query(F_KEYTAG | (crecp->flags & F_CONFIG), name, &a, "DNSKEY ke= ytag %u"); +- if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,=20 +- crec_ttl(crecp, now), &nameoffset, +- T_DNSKEY, qclass, "sbbt",=20 +- crecp->addr.key.flags, 3, crecp->addr.key.algo, crecp->addr.key.k= eylen, keydata)) +- anscount++; +- } +- } +- } +- } +- =20 +- /* Now do RRSIGs */ +- if (gotone) +- { +- ans =3D 1; +- auth =3D 0; +- if (!dryrun && sec_reqd) +- { +- crecp =3D NULL; +- while ((crecp =3D cache_find_by_name(crecp, name, now, F_DNSKEY | F_DS)= )) +- if (crecp->uid =3D=3D qclass && crecp->addr.sig.type_covered =3D=3D q= type && +- (keydata =3D blockdata_retrieve(crecp->addr.sig.keydata, crecp->addr.sig= .keylen, NULL))) +- { +- add_resource_record(header, limit, &trunc, nameoffset, &ansp,=20 +- crec_ttl(crecp, now), &nameoffset, +- T_RRSIG, qclass, "t", crecp->addr.sig.keylen, keydata); +- anscount++; +- } +- } +- } +- } +-#endif =20 +- =20 + if (qclass =3D=3D C_IN) + { + struct txt_record *t; +@@ -1736,6 +1644,7 @@ size_t answer_request(struct dns_header *header, char = *limit, size_t qlen, + if ((t->class =3D=3D qtype || qtype =3D=3D T_ANY) && hostname_isequal(= name, t->name)) + { + ans =3D 1; ++ sec_data =3D 0; + if (!dryrun) + { + log_query(F_CONFIG | F_RRNAME, name, NULL, ""); +@@ -1792,6 +1701,7 @@ size_t answer_request(struct dns_header *header, char = *limit, size_t qlen, + =20 + if (intr) + { ++ sec_data =3D 0; + ans =3D 1; + if (!dryrun) + { +@@ -1805,6 +1715,7 @@ size_t answer_request(struct dns_header *header, char = *limit, size_t qlen, + else if (ptr) + { + ans =3D 1; ++ sec_data =3D 0; + if (!dryrun) + { + log_query(F_CONFIG | F_RRNAME, name, NULL, ""); +@@ -1819,38 +1730,8 @@ size_t answer_request(struct dns_header *header, char= *limit, size_t qlen, + } + else if ((crecp =3D cache_find_by_addr(NULL, &addr, now, is_arpa))) + { +- if (!(crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) && sec_reqd) +- { +- if (!option_bool(OPT_DNSSEC_VALID) || ((crecp->flags & F_NEG) && (c= recp->flags & F_DNSSECOK))) +- crecp =3D NULL; +-#ifdef HAVE_DNSSEC +- else if (crecp->flags & F_DNSSECOK) +- { +- int gotsig =3D 0; +- struct crec *rr_crec =3D NULL; +- +- while ((rr_crec =3D cache_find_by_name(rr_crec, name, now, F_DS | F_DN= SKEY))) +- { +- if (rr_crec->addr.sig.type_covered =3D=3D T_PTR && rr_crec->uid = =3D=3D C_IN) +- { +- char *sigdata =3D blockdata_retrieve(rr_crec->addr.sig.keydata, rr_cr= ec->addr.sig.keylen, NULL); +- gotsig =3D 1; +- =20 +- if (!dryrun &&=20 +- add_resource_record(header, limit, &trunc, nameoffset, &ansp,=20 +- rr_crec->ttd - now, &nameoffset, +- T_RRSIG, C_IN, "t", crecp->addr.sig.keylen, sigdata)) +- anscount++; +- } +- }=20 +- =20 +- if (!gotsig) +- crecp =3D NULL; +- } +-#endif +- } +- +- if (crecp) ++ /* Don't use cache when DNSSEC data required. */ ++ if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !sec_reqd || !(cr= ecp->flags & F_DNSSECOK)) + { + do=20 + {=20 +@@ -1860,19 +1741,19 @@ size_t answer_request(struct dns_header *header, cha= r *limit, size_t qlen, + =20 + if (!(crecp->flags & F_DNSSECOK)) + sec_data =3D 0; +- =20 ++ =20 ++ ans =3D 1; ++ =20 + if (crecp->flags & F_NEG) + { +- ans =3D 1; + auth =3D 0; + if (crecp->flags & F_NXDOMAIN) + nxdomain =3D 1; + if (!dryrun) + log_query(crecp->flags & ~F_FORWARD, name, &addr, NULL); + } +- else if ((crecp->flags & (F_HOSTS | F_DHCP)) || !sec_reqd || option_bo= ol(OPT_DNSSEC_VALID)) ++ else + { +- ans =3D 1; + if (!(crecp->flags & (F_HOSTS | F_DHCP))) + auth =3D 0; + if (!dryrun) +@@ -1892,6 +1773,7 @@ size_t answer_request(struct dns_header *header, char = *limit, size_t qlen, + else if (is_rev_synth(is_arpa, &addr, name)) + { + ans =3D 1; ++ sec_data =3D 0; + if (!dryrun) + { + log_query(F_CONFIG | F_REVERSE | is_arpa, name, &addr, NULL);=20 +@@ -1908,6 +1790,7 @@ size_t answer_request(struct dns_header *header, char = *limit, size_t qlen, + { + /* if not in cache, enabled and private IPV4 address, return NXDOMAIN */ + ans =3D 1; ++ sec_data =3D 0; + nxdomain =3D 1; + if (!dryrun) + log_query(F_CONFIG | F_REVERSE | F_IPV4 | F_NEG | F_NXDOMAIN,=20 +@@ -1955,6 +1838,7 @@ size_t answer_request(struct dns_header *header, char = *limit, size_t qlen, + if (i =3D=3D 4) + { + ans =3D 1; ++ sec_data =3D 0; + if (!dryrun) + { + addr.addr.addr4.s_addr =3D htonl(a); +@@ -1993,6 +1877,7 @@ size_t answer_request(struct dns_header *header, char = *limit, size_t qlen, + continue; + #endif=09 + ans =3D 1;=09 ++ sec_data =3D 0; + if (!dryrun) + { + gotit =3D 1; +@@ -2032,48 +1917,8 @@ size_t answer_request(struct dns_header *header, char= *limit, size_t qlen, + crecp =3D save; + } +=20 +- /* If the client asked for DNSSEC and we can't provide RRSIGs, either +- because we've not doing DNSSEC or the cached answer is signed by neg= ative, +- don't answer from the cache, forward instead. */ +- if (!(crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) && sec_reqd) +- { +- if (!option_bool(OPT_DNSSEC_VALID) || ((crecp->flags & F_NEG) && (c= recp->flags & F_DNSSECOK))) +- crecp =3D NULL; +-#ifdef HAVE_DNSSEC +- else if (crecp->flags & F_DNSSECOK) +- { +- /* We're returning validated data, need to return the RRSIG too. */ +- struct crec *rr_crec =3D NULL; +- int sigtype =3D type; +- /* The signature may have expired even though the data is still in cac= he,=20 +- forward instead of answering from cache if so. */ +- int gotsig =3D 0; +- =20 +- if (crecp->flags & F_CNAME) +- sigtype =3D T_CNAME; +- =20 +- while ((rr_crec =3D cache_find_by_name(rr_crec, name, now, F_DS | F_DN= SKEY))) +- { +- if (rr_crec->addr.sig.type_covered =3D=3D sigtype && rr_crec->uid = =3D=3D C_IN) +- { +- char *sigdata =3D blockdata_retrieve(rr_crec->addr.sig.keydata, rr_cr= ec->addr.sig.keylen, NULL); +- gotsig =3D 1; +- =20 +- if (!dryrun &&=20 +- add_resource_record(header, limit, &trunc, nameoffset, &ansp,=20 +- rr_crec->ttd - now, &nameoffset, +- T_RRSIG, C_IN, "t", rr_crec->addr.sig.keylen, sigdata)) +- anscount++; +- } +- } +- =20 +- if (!gotsig) +- crecp =3D NULL; +- } +-#endif +- } =20 +- +- if (crecp) ++ /* If the client asked for DNSSEC don't use cached data. */ ++ if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !sec_reqd || !(cr= ecp->flags & F_DNSSECOK)) + do + {=20 + /* don't answer wildcard queries with data not from /etc/hosts +--=20 +1.7.10.4 + diff --git a/src/patches/dnsmasq/018-Move_code_which_caches_DS_records_to_a_m= ore_logical_place.patch b/src/patches/dnsmasq/018-Move_code_which_caches_DS_r= ecords_to_a_more_logical_place.patch new file mode 100644 index 0000000..ff055f7 --- /dev/null +++ b/src/patches/dnsmasq/018-Move_code_which_caches_DS_records_to_a_more_log= ical_place.patch @@ -0,0 +1,269 @@ +From d64c81fff7faf4392b688223ef3a617c5c07e7dc Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Tue, 15 Dec 2015 16:11:06 +0000 +Subject: [PATCH] Move code which caches DS records to a more logical place. + +--- + src/dnssec.c | 179 +++++++++++++++++++++++++++++--------------------------= --- + 1 file changed, 90 insertions(+), 89 deletions(-) + +diff --git a/src/dnssec.c b/src/dnssec.c +index 1ae03a6..359231f 100644 +--- a/src/dnssec.c ++++ b/src/dnssec.c +@@ -1204,7 +1204,10 @@ int dnssec_validate_by_ds(time_t now, struct dns_head= er *header, size_t plen, ch + int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, = char *name, char *keyname, int class) + { + unsigned char *p =3D (unsigned char *)(header+1); +- int qtype, qclass, val, i, neganswer, nons; ++ int qtype, qclass, rc, i, neganswer, nons; ++ int aclass, atype, rdlen; ++ unsigned long ttl; ++ struct all_addr a; +=20 + if (ntohs(header->qdcount) !=3D 1 || + !(p =3D skip_name(p, header, plen, 4))) +@@ -1214,40 +1217,100 @@ int dnssec_validate_ds(time_t now, struct dns_heade= r *header, size_t plen, char + GETSHORT(qclass, p); +=20 + if (qtype !=3D T_DS || qclass !=3D class) +- val =3D STAT_BOGUS; ++ rc =3D STAT_BOGUS; + else +- val =3D dnssec_validate_reply(now, header, plen, name, keyname, NULL, 0= , &neganswer, &nons); ++ rc =3D dnssec_validate_reply(now, header, plen, name, keyname, NULL, 0,= &neganswer, &nons); + /* Note dnssec_validate_reply() will have cached positive answers */ + =20 +- if (val =3D=3D STAT_INSECURE) +- val =3D STAT_BOGUS; +- ++ if (rc =3D=3D STAT_INSECURE) ++ rc =3D STAT_BOGUS; ++=20 + p =3D (unsigned char *)(header+1); + extract_name(header, plen, &p, name, 1, 4); + p +=3D 4; /* qtype, qclass */ + =20 +- if (!(p =3D skip_section(p, ntohs(header->ancount), header, plen))) +- val =3D STAT_BOGUS; +- =20 + /* If the key needed to validate the DS is on the same domain as the DS, = we'll + loop getting nowhere. Stop that now. This can happen of the DS answer = comes + from the DS's zone, and not the parent zone. */ +- if (val =3D=3D STAT_BOGUS || (val =3D=3D STAT_NEED_KEY && hostname_isequa= l(name, keyname))) ++ if (rc =3D=3D STAT_BOGUS || (rc =3D=3D STAT_NEED_KEY && hostname_isequal(= name, keyname))) + { + log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "BOGUS DS"); + return STAT_BOGUS; + } + =20 +- if (val !=3D STAT_SECURE) +- return val; +- +- /* By here, the answer is proved secure, and a positive answer has been c= ached. */ +- if (neganswer) ++ if (rc !=3D STAT_SECURE) ++ return rc; ++ =20 ++ if (!neganswer) + { +- int rdlen, flags =3D F_FORWARD | F_DS | F_NEG | F_DNSSECOK; +- unsigned long ttl, minttl =3D ULONG_MAX; +- struct all_addr a; ++ cache_start_insert(); ++ =20 ++ for (i =3D 0; i < ntohs(header->ancount); i++) ++ { ++ if (!(rc =3D extract_name(header, plen, &p, name, 0, 10))) ++ return STAT_BOGUS; /* bad packet */ ++ =20 ++ GETSHORT(atype, p); ++ GETSHORT(aclass, p); ++ GETLONG(ttl, p); ++ GETSHORT(rdlen, p); ++ =20 ++ if (!CHECK_LEN(header, p, plen, rdlen)) ++ return STAT_BOGUS; /* bad packet */ ++ =20 ++ if (aclass =3D=3D class && atype =3D=3D T_DS && rc =3D=3D 1) ++ {=20 ++ int algo, digest, keytag; ++ unsigned char *psave =3D p; ++ struct blockdata *key; ++ struct crec *crecp; +=20 ++ if (rdlen < 4) ++ return STAT_BOGUS; /* bad packet */ ++ =20 ++ GETSHORT(keytag, p); ++ algo =3D *p++; ++ digest =3D *p++; ++ =20 ++ /* Cache needs to known class for DNSSEC stuff */ ++ a.addr.dnssec.class =3D class; ++ =20 ++ if ((key =3D blockdata_alloc((char*)p, rdlen - 4))) ++ { ++ if (!(crecp =3D cache_insert(name, &a, now, ttl, F_FORWARD | F_DS | F_D= NSSECOK))) ++ { ++ blockdata_free(key); ++ return STAT_BOGUS; ++ } ++ else ++ { ++ a.addr.keytag =3D keytag; ++ log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS keytag %= u"); ++ crecp->addr.ds.digest =3D digest; ++ crecp->addr.ds.keydata =3D key; ++ crecp->addr.ds.algo =3D algo; ++ crecp->addr.ds.keytag =3D keytag; ++ crecp->addr.ds.keylen =3D rdlen - 4;=20 ++ }=20 ++ } ++ =20 ++ p =3D psave; ++ =20 ++ if (!ADD_RDLEN(header, p, plen, rdlen)) ++ return STAT_BOGUS; /* bad packet */ ++ } ++ =20 ++ cache_end_insert(); ++ } ++ } ++ else ++ { ++ int flags =3D F_FORWARD | F_DS | F_NEG | F_DNSSECOK; ++ unsigned long minttl =3D ULONG_MAX; ++ =20 ++ if (!(p =3D skip_section(p, ntohs(header->ancount), header, plen))) ++ return STAT_BOGUS; ++ =20 + if (RCODE(header) =3D=3D NXDOMAIN) + flags |=3D F_NXDOMAIN; + =20 +@@ -1261,20 +1324,20 @@ int dnssec_validate_ds(time_t now, struct dns_header= *header, size_t plen, char + if (!(p =3D skip_name(p, header, plen, 0))) + return STAT_BOGUS; + =20 +- GETSHORT(qtype, p);=20 +- GETSHORT(qclass, p); ++ GETSHORT(atype, p);=20 ++ GETSHORT(aclass, p); + GETLONG(ttl, p); + GETSHORT(rdlen, p); +- ++ =20 + if (!CHECK_LEN(header, p, plen, rdlen)) + return STAT_BOGUS; /* bad packet */ +- =20 +- if (qclass !=3D class || qtype !=3D T_SOA) ++ =20 ++ if (aclass !=3D class || atype !=3D T_SOA) + { + p +=3D rdlen; + continue; + } +- =20 ++ =20 + if (ttl < minttl) + minttl =3D ttl; + =20 +@@ -1306,7 +1369,7 @@ int dnssec_validate_ds(time_t now, struct dns_header *= header, size_t plen, char + log_query(F_NOEXTRA | F_UPSTREAM, name, NULL, "no DS"); + } + } +- ++ =20 + return STAT_OK; + } +=20 +@@ -2001,11 +2064,7 @@ int dnssec_validate_reply(time_t now, struct dns_head= er *header, size_t plen, ch + /* Not done, validate now */ + if (j =3D=3D i) + { +- int ttl, keytag, algo, digest, sigcnt, rrcnt; +- unsigned char *psave; +- struct all_addr a; +- struct blockdata *key; +- struct crec *crecp; ++ int sigcnt, rrcnt; + char *wildname; + =20 + if (!explore_rrset(header, plen, class1, type1, name, keyname, &sigc= nt, &rrcnt)) +@@ -2032,6 +2091,7 @@ int dnssec_validate_reply(time_t now, struct dns_heade= r *header, size_t plen, ch + Can't overwrite name here. */ + strcpy(daemon->workspacename, keyname); + rc =3D zone_status(daemon->workspacename, class1, keyname, now); ++ + if (rc !=3D STAT_SECURE) + { + /* Zone is insecure, don't need to validate RRset */ +@@ -2088,65 +2148,6 @@ int dnssec_validate_reply(time_t now, struct dns_head= er *header, size_t plen, ch + if (rc =3D=3D STAT_BOGUS) + return rc; + }=20 +- =20 +- /* If we just validated a DS RRset, cache it */ +- /* Also note if the RRset is the answer to the question, or the target = of a CNAME */ +- cache_start_insert(); +- =20 +- for (p2 =3D ans_start, j =3D 0; j < ntohs(header->ancount); j++) +- { +- if (!(rc =3D extract_name(header, plen, &p2, name, 0, 10))) +- return STAT_BOGUS; /* bad packet */ +- =20 +- GETSHORT(type2, p2); +- GETSHORT(class2, p2); +- GETLONG(ttl, p2); +- GETSHORT(rdlen2, p2); +- =20 +- if (!CHECK_LEN(header, p2, plen, rdlen2)) +- return STAT_BOGUS; /* bad packet */ +- =20 +- if (class2 =3D=3D class1 && rc =3D=3D 1) +- {=20 +- psave =3D p2; +- =20 +- if (type1 =3D=3D T_DS && type2 =3D=3D T_DS) +- { +- if (rdlen2 < 4) +- return STAT_BOGUS; /* bad packet */ +- =20 +- GETSHORT(keytag, p2); +- algo =3D *p2++; +- digest =3D *p2++; +- =20 +- /* Cache needs to known class for DNSSEC stuff */ +- a.addr.dnssec.class =3D class2; +- =20 +- if ((key =3D blockdata_alloc((char*)p2, rdlen2 - 4))) +- { +- if (!(crecp =3D cache_insert(name, &a, now, ttl, F_FORWARD | F_DS | F= _DNSSECOK))) +- blockdata_free(key); +- else +- { +- a.addr.keytag =3D keytag; +- log_query(F_NOEXTRA | F_KEYTAG | F_UPSTREAM, name, &a, "DS keytag= %u"); +- crecp->addr.ds.digest =3D digest; +- crecp->addr.ds.keydata =3D key; +- crecp->addr.ds.algo =3D algo; +- crecp->addr.ds.keytag =3D keytag; +- crecp->addr.ds.keylen =3D rdlen2 - 4;=20 +- }=20 +- } +- } +- +- p2 =3D psave; +- } +- =20 +- if (!ADD_RDLEN(header, p2, plen, rdlen2)) +- return STAT_BOGUS; /* bad packet */ +- } +- =20 +- cache_end_insert(); + } + } + } +--=20 +1.7.10.4 + diff --git a/src/patches/dnsmasq/019-Generalise_RR-filtering_code_for_use_wit= h_EDNS0.patch b/src/patches/dnsmasq/019-Generalise_RR-filtering_code_for_use_= with_EDNS0.patch new file mode 100644 index 0000000..0a4942a --- /dev/null +++ b/src/patches/dnsmasq/019-Generalise_RR-filtering_code_for_use_with_EDNS0= .patch @@ -0,0 +1,755 @@ +From c2bcd1e183bcc5fdd63811c045355fc57e36ecfd Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Tue, 15 Dec 2015 17:25:21 +0000 +Subject: [PATCH] Generalise RR-filtering code, for use with EDNS0. + +--- + Makefile | 3 +- + bld/Android.mk | 2 +- + src/dnsmasq.h | 5 + + src/dnssec.c | 307 +------------------------------------------------- + src/forward.c | 2 +- + src/rrfilter.c | 339 +++++++++++++++++++++++++++++++++++++++++++++++++++++= +++ + 6 files changed, 349 insertions(+), 309 deletions(-) + create mode 100644 src/rrfilter.c + +diff --git a/Makefile b/Makefile +index 4c87ea9..b664160 100644 +--- a/Makefile ++++ b/Makefile +@@ -73,7 +73,8 @@ objs =3D cache.o rfc1035.o util.o option.o forward.o netwo= rk.o \ + dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \ + helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ + dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \ +- domain.o dnssec.o blockdata.o tables.o loop.o inotify.o poll.o ++ domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \ ++ poll.o rrfilter.o +=20 + hdrs =3D dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \ + dns-protocol.h radv-protocol.h ip6addr.h +diff --git a/bld/Android.mk b/bld/Android.mk +index 5364ee7..67b9c4b 100644 +--- a/bld/Android.mk ++++ b/bld/Android.mk +@@ -10,7 +10,7 @@ LOCAL_SRC_FILES :=3D bpf.c cache.c dbus.c dhcp.c dnsmasq.= c \ + dhcp6.c rfc3315.c dhcp-common.c outpacket.c \ + radv.c slaac.c auth.c ipset.c domain.c \ + dnssec.c dnssec-openssl.c blockdata.c tables.c \ +- loop.c inotify.c poll.c ++ loop.c inotify.c poll.c rrfilter.c +=20 + LOCAL_MODULE :=3D dnsmasq +=20 +diff --git a/src/dnsmasq.h b/src/dnsmasq.h +index 4344cae..39a930c 100644 +--- a/src/dnsmasq.h ++++ b/src/dnsmasq.h +@@ -1513,3 +1513,8 @@ int poll_check(int fd, short event); + void poll_listen(int fd, short event); + int do_poll(int timeout); +=20 ++/* rrfilter.c */ ++size_t rrfilter(struct dns_header *header, size_t plen, int mode); ++u16 *rrfilter_desc(int type); ++int expand_workspace(unsigned char ***wkspc, int *szp, int new); ++ +diff --git a/src/dnssec.c b/src/dnssec.c +index 359231f..fa3eb81 100644 +--- a/src/dnssec.c ++++ b/src/dnssec.c +@@ -507,50 +507,6 @@ static int check_date_range(unsigned long date_start, u= nsigned long date_end) + && serial_compare_32(curtime, date_end) =3D=3D SERIAL_LT; + } +=20 +-static u16 *get_desc(int type) +-{ +- /* List of RRtypes which include domains in the data. +- 0 -> domain +- integer -> no of plain bytes +- -1 -> end +- +- zero is not a valid RRtype, so the final entry is returned for +- anything which needs no mangling. +- */ +- =20 +- static u16 rr_desc[] =3D=20 +- {=20 +- T_NS, 0, -1,=20 +- T_MD, 0, -1, +- T_MF, 0, -1, +- T_CNAME, 0, -1, +- T_SOA, 0, 0, -1, +- T_MB, 0, -1, +- T_MG, 0, -1, +- T_MR, 0, -1, +- T_PTR, 0, -1, +- T_MINFO, 0, 0, -1, +- T_MX, 2, 0, -1, +- T_RP, 0, 0, -1, +- T_AFSDB, 2, 0, -1, +- T_RT, 2, 0, -1, +- T_SIG, 18, 0, -1, +- T_PX, 2, 0, 0, -1, +- T_NXT, 0, -1, +- T_KX, 2, 0, -1, +- T_SRV, 6, 0, -1, +- T_DNAME, 0, -1, +- 0, -1 /* wildcard/catchall */ +- };=20 +- =20 +- u16 *p =3D rr_desc; +- =20 +- while (*p !=3D type && *p !=3D 0) +- while (*p++ !=3D (u16)-1); +- +- return p+1; +-} +- + /* Return bytes of canonicalised rdata, when the return value is zero, the = remaining=20 + data, pointed to by *p, should be used raw. */ + static int get_rdata(struct dns_header *header, size_t plen, unsigned char = *end, char *buff, int bufflen, +@@ -594,34 +550,6 @@ static int get_rdata(struct dns_header *header, size_t = plen, unsigned char *end, + } + } +=20 +-static int expand_workspace(unsigned char ***wkspc, int *szp, int new) +-{ +- unsigned char **p; +- int old =3D *szp; +- +- if (old >=3D new+1) +- return 1; +- +- if (new >=3D 100) +- return 0; +- +- new +=3D 5; +- =20 +- if (!(p =3D whine_malloc(new * sizeof(unsigned char **)))) +- return 0; =20 +- =20 +- if (old !=3D 0 && *wkspc) +- { +- memcpy(p, *wkspc, old * sizeof(unsigned char **)); +- free(*wkspc); +- } +- =20 +- *wkspc =3D p; +- *szp =3D new; +- +- return 1; +-} +- + /* Bubble sort the RRset into the canonical order.=20 + Note that the byte-streams from two RRs may get unsynced: consider=20 + RRs which have two domain-names at the start and then other data. +@@ -849,7 +777,7 @@ static int validate_rrset(time_t now, struct dns_header = *header, size_t plen, in + int rdlen, j, name_labels; + struct crec *crecp =3D NULL; + int algo, labels, orig_ttl, key_tag; +- u16 *rr_desc =3D get_desc(type); ++ u16 *rr_desc =3D rrfilter_desc(type); + =20 + if (wildcard_out) + *wildcard_out =3D NULL; +@@ -2266,239 +2194,6 @@ size_t dnssec_generate_query(struct dns_header *head= er, char *end, char *name, i + return ret; + } +=20 +-/* Go through a domain name, find "pointers" and fix them up based on how m= any bytes +- we've chopped out of the packet, or check they don't point into an elide= d part. */ +-static int check_name(unsigned char **namep, struct dns_header *header, siz= e_t plen, int fixup, unsigned char **rrs, int rr_count) +-{ +- unsigned char *ansp =3D *namep; +- +- while(1) +- { +- unsigned int label_type; +- =20 +- if (!CHECK_LEN(header, ansp, plen, 1)) +- return 0; +- =20 +- label_type =3D (*ansp) & 0xc0; +- +- if (label_type =3D=3D 0xc0) +- { +- /* pointer for compression. */ +- unsigned int offset; +- int i; +- unsigned char *p; +- =20 +- if (!CHECK_LEN(header, ansp, plen, 2)) +- return 0; +- +- offset =3D ((*ansp++) & 0x3f) << 8; +- offset |=3D *ansp++; +- +- p =3D offset + (unsigned char *)header; +- =20 +- for (i =3D 0; i < rr_count; i++) +- if (p < rrs[i]) +- break; +- else +- if (i & 1) +- offset -=3D rrs[i] - rrs[i-1]; +- +- /* does the pointer end up in an elided RR? */ +- if (i & 1) +- return 0; +- +- /* No, scale the pointer */ +- if (fixup) +- { +- ansp -=3D 2; +- *ansp++ =3D (offset >> 8) | 0xc0; +- *ansp++ =3D offset & 0xff; +- } +- break; +- } +- else if (label_type =3D=3D 0x80) +- return 0; /* reserved */ +- else if (label_type =3D=3D 0x40) +- { +- /* Extended label type */ +- unsigned int count; +- =20 +- if (!CHECK_LEN(header, ansp, plen, 2)) +- return 0; +- =20 +- if (((*ansp++) & 0x3f) !=3D 1) +- return 0; /* we only understand bitstrings */ +- =20 +- count =3D *(ansp++); /* Bits in bitstring */ +- =20 +- if (count =3D=3D 0) /* count =3D=3D 0 means 256 bits */ +- ansp +=3D 32; +- else +- ansp +=3D ((count-1)>>3)+1; +- } +- else +- { /* label type =3D=3D 0 Bottom six bits is length */ +- unsigned int len =3D (*ansp++) & 0x3f; +- =20 +- if (!ADD_RDLEN(header, ansp, plen, len)) +- return 0; +- +- if (len =3D=3D 0) +- break; /* zero length label marks the end. */ +- } +- } +- +- *namep =3D ansp; +- +- return 1; +-} +- +-/* Go through RRs and check or fixup the domain names contained within */ +-static int check_rrs(unsigned char *p, struct dns_header *header, size_t pl= en, int fixup, unsigned char **rrs, int rr_count) +-{ +- int i, type, class, rdlen; +- unsigned char *pp; +- =20 +- for (i =3D 0; i < ntohs(header->ancount) + ntohs(header->nscount) + ntohs= (header->arcount); i++) +- { +- pp =3D p; +- +- if (!(p =3D skip_name(p, header, plen, 10))) +- return 0; +- =20 +- GETSHORT(type, p);=20 +- GETSHORT(class, p); +- p +=3D 4; /* TTL */ +- GETSHORT(rdlen, p); +- +- if (type !=3D T_NSEC && type !=3D T_NSEC3 && type !=3D T_RRSIG) +- { +- /* fixup name of RR */ +- if (!check_name(&pp, header, plen, fixup, rrs, rr_count)) +- return 0; +- =20 +- if (class =3D=3D C_IN) +- { +- u16 *d; +-=20 +- for (pp =3D p, d =3D get_desc(type); *d !=3D (u16)-1; d++) +- { +- if (*d !=3D 0) +- pp +=3D *d; +- else if (!check_name(&pp, header, plen, fixup, rrs, rr_count)) +- return 0; +- } +- } +- } +- =20 +- if (!ADD_RDLEN(header, p, plen, rdlen)) +- return 0; +- } +- =20 +- return 1; +-} +-=09 +- +-size_t filter_rrsigs(struct dns_header *header, size_t plen) +-{ +- static unsigned char **rrs; +- static int rr_sz =3D 0; +- =20 +- unsigned char *p =3D (unsigned char *)(header+1); +- int i, rdlen, qtype, qclass, rr_found, chop_an, chop_ns, chop_ar; +- +- if (ntohs(header->qdcount) !=3D 1 || +- !(p =3D skip_name(p, header, plen, 4))) +- return plen; +- =20 +- GETSHORT(qtype, p); +- GETSHORT(qclass, p); +- +- /* First pass, find pointers to start and end of all the records we wish = to elide: +- records added for DNSSEC, unless explicity queried for */ +- for (rr_found =3D 0, chop_ns =3D 0, chop_an =3D 0, chop_ar =3D 0, i =3D 0= ;=20 +- i < ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->= arcount); +- i++) +- { +- unsigned char *pstart =3D p; +- int type, class; +- +- if (!(p =3D skip_name(p, header, plen, 10))) +- return plen; +- =20 +- GETSHORT(type, p);=20 +- GETSHORT(class, p); +- p +=3D 4; /* TTL */ +- GETSHORT(rdlen, p); +- =20 +- if ((type =3D=3D T_NSEC || type =3D=3D T_NSEC3 || type =3D=3D T_RRSIG= ) &&=20 +- (type !=3D qtype || class !=3D qclass)) +- { +- if (!expand_workspace(&rrs, &rr_sz, rr_found + 1)) +- return plen;=20 +- =20 +- rrs[rr_found++] =3D pstart; +- +- if (!ADD_RDLEN(header, p, plen, rdlen)) +- return plen; +- =20 +- rrs[rr_found++] =3D p; +- =20 +- if (i < ntohs(header->ancount)) +- chop_an++; +- else if (i < (ntohs(header->nscount) + ntohs(header->ancount))) +- chop_ns++; +- else +- chop_ar++; +- } +- else if (!ADD_RDLEN(header, p, plen, rdlen)) +- return plen; +- } +- =20 +- /* Nothing to do. */ +- if (rr_found =3D=3D 0) +- return plen; +- +- /* Second pass, look for pointers in names in the records we're keeping a= nd make sure they don't +- point to records we're going to elide. This is theoretically possible,= but unlikely. If +- it happens, we give up and leave the answer unchanged. */ +- p =3D (unsigned char *)(header+1); +- =20 +- /* question first */ +- if (!check_name(&p, header, plen, 0, rrs, rr_found)) +- return plen; +- p +=3D 4; /* qclass, qtype */ +- =20 +- /* Now answers and NS */ +- if (!check_rrs(p, header, plen, 0, rrs, rr_found)) +- return plen; +- =20 +- /* Third pass, elide records */ +- for (p =3D rrs[0], i =3D 1; i < rr_found; i +=3D 2) +- { +- unsigned char *start =3D rrs[i]; +- unsigned char *end =3D (i !=3D rr_found - 1) ? rrs[i+1] : ((unsigned = char *)(header+1)) + plen; +- =20 +- memmove(p, start, end-start); +- p +=3D end-start; +- } +- =20 +- plen =3D p - (unsigned char *)header; +- header->ancount =3D htons(ntohs(header->ancount) - chop_an); +- header->nscount =3D htons(ntohs(header->nscount) - chop_ns); +- header->arcount =3D htons(ntohs(header->arcount) - chop_ar); +- +- /* Fourth pass, fix up pointers in the remaining records */ +- p =3D (unsigned char *)(header+1); +- =20 +- check_name(&p, header, plen, 1, rrs, rr_found); +- p +=3D 4; /* qclass, qtype */ +- =20 +- check_rrs(p, header, plen, 1, rrs, rr_found); +- =20 +- return plen; +-} +- + unsigned char* hash_questions(struct dns_header *header, size_t plen, char = *name) + { + int q; +diff --git a/src/forward.c b/src/forward.c +index dd22a62..3e801c8 100644 +--- a/src/forward.c ++++ b/src/forward.c +@@ -662,7 +662,7 @@ static size_t process_reply(struct dns_header *header, t= ime_t now, struct server +=20 + /* If the requestor didn't set the DO bit, don't return DNSSEC info. */ + if (!do_bit) +- n =3D filter_rrsigs(header, n); ++ n =3D rrfilter(header, n, 1); + #endif +=20 + /* do this after extract_addresses. Ensure NODATA reply and remove +diff --git a/src/rrfilter.c b/src/rrfilter.c +new file mode 100644 +index 0000000..ae12261 +--- /dev/null ++++ b/src/rrfilter.c +@@ -0,0 +1,339 @@ ++/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; version 2 dated June, 1991, or ++ (at your option) version 3 dated 29 June, 2007. ++=20 ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ =20 ++ You should have received a copy of the GNU General Public License ++ along with this program. If not, see . ++*/ ++ ++/* Code to safely remove RRs from an DNS answer */=20 ++ ++#include "dnsmasq.h" ++ ++/* Go through a domain name, find "pointers" and fix them up based on how m= any bytes ++ we've chopped out of the packet, or check they don't point into an elide= d part. */ ++static int check_name(unsigned char **namep, struct dns_header *header, siz= e_t plen, int fixup, unsigned char **rrs, int rr_count) ++{ ++ unsigned char *ansp =3D *namep; ++ ++ while(1) ++ { ++ unsigned int label_type; ++ =20 ++ if (!CHECK_LEN(header, ansp, plen, 1)) ++ return 0; ++ =20 ++ label_type =3D (*ansp) & 0xc0; ++ ++ if (label_type =3D=3D 0xc0) ++ { ++ /* pointer for compression. */ ++ unsigned int offset; ++ int i; ++ unsigned char *p; ++ =20 ++ if (!CHECK_LEN(header, ansp, plen, 2)) ++ return 0; ++ ++ offset =3D ((*ansp++) & 0x3f) << 8; ++ offset |=3D *ansp++; ++ ++ p =3D offset + (unsigned char *)header; ++ =20 ++ for (i =3D 0; i < rr_count; i++) ++ if (p < rrs[i]) ++ break; ++ else ++ if (i & 1) ++ offset -=3D rrs[i] - rrs[i-1]; ++ ++ /* does the pointer end up in an elided RR? */ ++ if (i & 1) ++ return 0; ++ ++ /* No, scale the pointer */ ++ if (fixup) ++ { ++ ansp -=3D 2; ++ *ansp++ =3D (offset >> 8) | 0xc0; ++ *ansp++ =3D offset & 0xff; ++ } ++ break; ++ } ++ else if (label_type =3D=3D 0x80) ++ return 0; /* reserved */ ++ else if (label_type =3D=3D 0x40) ++ { ++ /* Extended label type */ ++ unsigned int count; ++ =20 ++ if (!CHECK_LEN(header, ansp, plen, 2)) ++ return 0; ++ =20 ++ if (((*ansp++) & 0x3f) !=3D 1) ++ return 0; /* we only understand bitstrings */ ++ =20 ++ count =3D *(ansp++); /* Bits in bitstring */ ++ =20 ++ if (count =3D=3D 0) /* count =3D=3D 0 means 256 bits */ ++ ansp +=3D 32; ++ else ++ ansp +=3D ((count-1)>>3)+1; ++ } ++ else ++ { /* label type =3D=3D 0 Bottom six bits is length */ ++ unsigned int len =3D (*ansp++) & 0x3f; ++ =20 ++ if (!ADD_RDLEN(header, ansp, plen, len)) ++ return 0; ++ ++ if (len =3D=3D 0) ++ break; /* zero length label marks the end. */ ++ } ++ } ++ ++ *namep =3D ansp; ++ ++ return 1; ++} ++ ++/* Go through RRs and check or fixup the domain names contained within */ ++static int check_rrs(unsigned char *p, struct dns_header *header, size_t pl= en, int fixup, unsigned char **rrs, int rr_count) ++{ ++ int i, j, type, class, rdlen; ++ unsigned char *pp; ++ =20 ++ for (i =3D 0; i < ntohs(header->ancount) + ntohs(header->nscount) + ntohs= (header->arcount); i++) ++ { ++ pp =3D p; ++ ++ if (!(p =3D skip_name(p, header, plen, 10))) ++ return 0; ++ =20 ++ GETSHORT(type, p);=20 ++ GETSHORT(class, p); ++ p +=3D 4; /* TTL */ ++ GETSHORT(rdlen, p); ++ ++ /* If this RR is to be elided, don't fix up its contents */ ++ for (j =3D 0; j < rr_count; j +=3D 2) ++ if (rrs[j] =3D=3D pp) ++ break; ++ ++ if (j >=3D rr_count) ++ { ++ /* fixup name of RR */ ++ if (!check_name(&pp, header, plen, fixup, rrs, rr_count)) ++ return 0; ++ =20 ++ if (class =3D=3D C_IN) ++ { ++ u16 *d; ++=20 ++ for (pp =3D p, d =3D rrfilter_desc(type); *d !=3D (u16)-1; d++) ++ { ++ if (*d !=3D 0) ++ pp +=3D *d; ++ else if (!check_name(&pp, header, plen, fixup, rrs, rr_count)) ++ return 0; ++ } ++ } ++ } ++ =20 ++ if (!ADD_RDLEN(header, p, plen, rdlen)) ++ return 0; ++ } ++ =20 ++ return 1; ++} ++=09 ++ ++/* mode is 0 to remove EDNS0, 1 to filter DNSSEC RRs */ ++size_t rrfilter(struct dns_header *header, size_t plen, int mode) ++{ ++ static unsigned char **rrs; ++ static int rr_sz =3D 0; ++ ++ unsigned char *p =3D (unsigned char *)(header+1); ++ int i, rdlen, qtype, qclass, rr_found, chop_an, chop_ns, chop_ar; ++ ++ if (ntohs(header->qdcount) !=3D 1 || ++ !(p =3D skip_name(p, header, plen, 4))) ++ return plen; ++ =20 ++ GETSHORT(qtype, p); ++ GETSHORT(qclass, p); ++ ++ /* First pass, find pointers to start and end of all the records we wish = to elide: ++ records added for DNSSEC, unless explicity queried for */ ++ for (rr_found =3D 0, chop_ns =3D 0, chop_an =3D 0, chop_ar =3D 0, i =3D 0= ;=20 ++ i < ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->= arcount); ++ i++) ++ { ++ unsigned char *pstart =3D p; ++ int type, class; ++ ++ if (!(p =3D skip_name(p, header, plen, 10))) ++ return plen; ++ =20 ++ GETSHORT(type, p);=20 ++ GETSHORT(class, p); ++ p +=3D 4; /* TTL */ ++ GETSHORT(rdlen, p); ++ =20 ++ if (!ADD_RDLEN(header, p, plen, rdlen)) ++ return plen; ++ ++ /* Don't remove the answer. */ ++ if (i < ntohs(header->ancount) && type =3D=3D qtype && class =3D=3D q= class) ++ continue; ++ =20 ++ if (mode =3D=3D 0) /* EDNS */ ++ { ++ /* EDNS mode, remove T_OPT from additional section only */ ++ if (i < (ntohs(header->nscount) + ntohs(header->ancount)) || type !=3D T= _OPT) ++ continue; ++ } ++ else if (type !=3D T_NSEC && type !=3D T_NSEC3 && type !=3D T_RRSIG) ++ /* DNSSEC mode, remove SIGs and NSECs from all three sections. */ ++ continue; ++ =20 ++ =20 ++ if (!expand_workspace(&rrs, &rr_sz, rr_found + 1)) ++ return plen;=20 ++ =20 ++ rrs[rr_found++] =3D pstart; ++ rrs[rr_found++] =3D p; ++ =20 ++ if (i < ntohs(header->ancount)) ++ chop_an++; ++ else if (i < (ntohs(header->nscount) + ntohs(header->ancount))) ++ chop_ns++; ++ else ++ chop_ar++; ++ } ++ =20 ++ /* Nothing to do. */ ++ if (rr_found =3D=3D 0) ++ return plen; ++ ++ /* Second pass, look for pointers in names in the records we're keeping a= nd make sure they don't ++ point to records we're going to elide. This is theoretically possible,= but unlikely. If ++ it happens, we give up and leave the answer unchanged. */ ++ p =3D (unsigned char *)(header+1); ++ =20 ++ /* question first */ ++ if (!check_name(&p, header, plen, 0, rrs, rr_found)) ++ return plen; ++ p +=3D 4; /* qclass, qtype */ ++ =20 ++ /* Now answers and NS */ ++ if (!check_rrs(p, header, plen, 0, rrs, rr_found)) ++ return plen; ++ =20 ++ /* Third pass, elide records */ ++ for (p =3D rrs[0], i =3D 1; i < rr_found; i +=3D 2) ++ { ++ unsigned char *start =3D rrs[i]; ++ unsigned char *end =3D (i !=3D rr_found - 1) ? rrs[i+1] : ((unsigned = char *)(header+1)) + plen; ++ =20 ++ memmove(p, start, end-start); ++ p +=3D end-start; ++ } ++ =20 ++ plen =3D p - (unsigned char *)header; ++ header->ancount =3D htons(ntohs(header->ancount) - chop_an); ++ header->nscount =3D htons(ntohs(header->nscount) - chop_ns); ++ header->arcount =3D htons(ntohs(header->arcount) - chop_ar); ++ ++ /* Fourth pass, fix up pointers in the remaining records */ ++ p =3D (unsigned char *)(header+1); ++ =20 ++ check_name(&p, header, plen, 1, rrs, rr_found); ++ p +=3D 4; /* qclass, qtype */ ++ =20 ++ check_rrs(p, header, plen, 1, rrs, rr_found); ++ =20 ++ return plen; ++} ++ ++/* This is used in the DNSSEC code too, hence it's exported */ ++u16 *rrfilter_desc(int type) ++{ ++ /* List of RRtypes which include domains in the data. ++ 0 -> domain ++ integer -> no of plain bytes ++ -1 -> end ++ ++ zero is not a valid RRtype, so the final entry is returned for ++ anything which needs no mangling. ++ */ ++ =20 ++ static u16 rr_desc[] =3D=20 ++ {=20 ++ T_NS, 0, -1,=20 ++ T_MD, 0, -1, ++ T_MF, 0, -1, ++ T_CNAME, 0, -1, ++ T_SOA, 0, 0, -1, ++ T_MB, 0, -1, ++ T_MG, 0, -1, ++ T_MR, 0, -1, ++ T_PTR, 0, -1, ++ T_MINFO, 0, 0, -1, ++ T_MX, 2, 0, -1, ++ T_RP, 0, 0, -1, ++ T_AFSDB, 2, 0, -1, ++ T_RT, 2, 0, -1, ++ T_SIG, 18, 0, -1, ++ T_PX, 2, 0, 0, -1, ++ T_NXT, 0, -1, ++ T_KX, 2, 0, -1, ++ T_SRV, 6, 0, -1, ++ T_DNAME, 0, -1, ++ 0, -1 /* wildcard/catchall */ ++ };=20 ++ =20 ++ u16 *p =3D rr_desc; ++ =20 ++ while (*p !=3D type && *p !=3D 0) ++ while (*p++ !=3D (u16)-1); ++ ++ return p+1; ++} ++ ++int expand_workspace(unsigned char ***wkspc, int *szp, int new) ++{ ++ unsigned char **p; ++ int old =3D *szp; ++ ++ if (old >=3D new+1) ++ return 1; ++ ++ if (new >=3D 100) ++ return 0; ++ ++ new +=3D 5; ++ =20 ++ if (!(p =3D whine_malloc(new * sizeof(unsigned char **)))) ++ return 0; =20 ++ =20 ++ if (old !=3D 0 && *wkspc) ++ { ++ memcpy(p, *wkspc, old * sizeof(unsigned char **)); ++ free(*wkspc); ++ } ++ =20 ++ *wkspc =3D p; ++ *szp =3D new; ++ ++ return 1; ++} +--=20 +1.7.10.4 + diff --git a/src/patches/dnsmasq/020-DNSSEC_validation_tweak.patch b/src/patc= hes/dnsmasq/020-DNSSEC_validation_tweak.patch new file mode 100644 index 0000000..ffb412b --- /dev/null +++ b/src/patches/dnsmasq/020-DNSSEC_validation_tweak.patch @@ -0,0 +1,134 @@ +From 2dbba34b2c1289a108f876c78b84889f2a93115d Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Wed, 16 Dec 2015 13:41:58 +0000 +Subject: [PATCH] DNSSEC validation tweak. + +A zone which has at least one key with an algorithm we don't +support should be considered as insecure. +--- + src/dnssec.c | 82 ++++++++++++++++++++++++++++++++++++++-----------------= --- + 1 file changed, 54 insertions(+), 28 deletions(-) + +diff --git a/src/dnssec.c b/src/dnssec.c +index fa3eb81..dc563e0 100644 +--- a/src/dnssec.c ++++ b/src/dnssec.c +@@ -763,10 +763,10 @@ static int explore_rrset(struct dns_header *header, si= ze_t plen, int class, int + STAT_NEED_KEY need DNSKEY to complete validation (name is returned in ke= yname) + STAT_NEED_DS need DS to complete validation (name is returned in keynam= e) +=20 +- if key is non-NULL, use that key, which has the algo and tag given in th= e params of those names, ++ If key is non-NULL, use that key, which has the algo and tag given in th= e params of those names, + otherwise find the key in the cache. +=20 +- name is unchanged on exit. keyname is used as workspace and trashed. ++ Name is unchanged on exit. keyname is used as workspace and trashed. +=20 + Call explore_rrset first to find and count RRs and sigs. + */ +@@ -919,6 +919,7 @@ static int validate_rrset(time_t now, struct dns_header = *header, size_t plen, in + return STAT_BOGUS; + } + =20 ++ + /* The DNS packet is expected to contain the answer to a DNSKEY query. + Put all DNSKEYs in the answer which are valid into the cache. + return codes: +@@ -1831,15 +1832,15 @@ static int prove_non_existence_nsec3(struct dns_head= er *header, size_t plen, uns +=20 + /* Check signing status of name. + returns: +- STAT_SECURE zone is signed. +- STAT_INSECURE zone proved unsigned. +- STAT_NEED_DS require DS record of name returned in keyname. +- =20 ++ STAT_SECURE zone is signed. ++ STAT_INSECURE zone proved unsigned. ++ STAT_NEED_DS require DS record of name returned in keyname. ++ STAT_NEED_DNSKEY require DNSKEY record of name returned in keyname. + name returned unaltered. + */ + static int zone_status(char *name, int class, char *keyname, time_t now) + { +- int name_start =3D strlen(name); ++ int secure_ds, name_start =3D strlen(name); + struct crec *crecp; + char *p; + =20 +@@ -1850,27 +1851,52 @@ static int zone_status(char *name, int class, char *= keyname, time_t now) + if (!(crecp =3D cache_find_by_name(NULL, keyname, now, F_DS))) + return STAT_NEED_DS; + else +- do=20 +- { +- if (crecp->uid =3D=3D (unsigned int)class) +- { +- /* F_DNSSECOK misused in DS cache records to non-existance of NS record. +- F_NEG && !F_DNSSECOK implies that we've proved there's no DS record he= re, +- but that's because there's no NS record either, ie this isn't the start +- of a zone. We only prove that the DNS tree below a node is unsigned wh= en +- we prove that we're at a zone cut AND there's no DS record. +- */ =20 +- if (crecp->flags & F_NEG) +- { +- if (crecp->flags & F_DNSSECOK) +- return STAT_INSECURE; /* proved no DS here */ +- } +- else if (!ds_digest_name(crecp->addr.ds.digest) || !algo_digest_name(crec= p->addr.ds.algo)) +- return STAT_INSECURE; /* algo we can't use - insecure */ +- } +- } +- while ((crecp =3D cache_find_by_name(crecp, keyname, now, F_DS))); +- =20 ++ { ++ secure_ds =3D 0; ++ =20 ++ do=20 ++ { ++ if (crecp->uid =3D=3D (unsigned int)class) ++ { ++ /* F_DNSSECOK misused in DS cache records to non-existance of NS record. ++ F_NEG && !F_DNSSECOK implies that we've proved there's no DS record = here, ++ but that's because there's no NS record either, ie this isn't the st= art ++ of a zone. We only prove that the DNS tree below a node is unsigned = when ++ we prove that we're at a zone cut AND there's no DS record. ++ */ =20 ++ if (crecp->flags & F_NEG) ++ { ++ if (crecp->flags & F_DNSSECOK) ++ return STAT_INSECURE; /* proved no DS here */ ++ } ++ else if (!ds_digest_name(crecp->addr.ds.digest) || !algo_digest_name(cr= ecp->addr.ds.algo)) ++ return STAT_INSECURE; /* algo we can't use - insecure */ ++ else ++ secure_ds =3D 1; ++ } ++ } ++ while ((crecp =3D cache_find_by_name(crecp, keyname, now, F_DS))); ++ } ++ ++ if (secure_ds) ++ { ++ /* We've found only DS records that attest to the DNSKEY RRset in the zo= ne, so we believe ++ that RRset is good. Furthermore the DNSKEY whose hash is proved by th= e DS record is ++ one we can use. However the DNSKEY RRset may contain more than one ke= y and ++ one of the other keys may use an algorithm we don't support. If that'= s=20 ++ the case the zone is insecure for us. */ ++ =20 ++ if (!(crecp =3D cache_find_by_name(NULL, keyname, now, F_DNSKEY))) ++ return STAT_NEED_KEY; ++ ++ do=20 ++ { ++ if (crecp->uid =3D=3D (unsigned int)class && !algo_digest_name(crecp= ->addr.key.algo)) ++ return STAT_INSECURE; ++ } ++ while ((crecp =3D cache_find_by_name(crecp, keyname, now, F_DNSKEY))); ++ } ++ + if (name_start =3D=3D 0) + break; +=20 +--=20 +1.7.10.4 + --=20 2.6.4 --===============7960740162511005029==--