Hi,

okay. Merged.

-Michael

On Sun, 2018-03-04 at 18:26 +0100, Peter Müller wrote:
> DNSSEC-validating nameservers return an "ad" (Authenticated Data)
> flag in the DNS response header. This can be used as a negative
> indicator for DNSSEC validation: In case a nameserver does not
> return the flag, but failes to look up a domain with an invalid
> signature, it does not support DNSSEC validation.
> 
> This makes it easier to detect nameservers which do not fully
> comply to the RFCs or try to tamper DNS queries.
> 
> See bug #11595 (https://bugzilla.ipfire.org/show_bug.cgi?id=11595) for further
> details.
> 
> The second version of this patch avoids unnecessary usage of
> grep. Thanks to Michael Tremer for the hint.
> 
> Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
> ---
>  src/initscripts/system/unbound | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound
> index a46999992..dcb9653ee 100644
> --- a/src/initscripts/system/unbound
> +++ b/src/initscripts/system/unbound
> @@ -378,7 +378,12 @@ ns_is_validating() {
>  	local ns=${1}
>  	shift
>  
> -	dig @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL
> +	if ! dig @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL; then
> +		return 1
> +	else
> +		# Determine if NS replies with "ad" data flag if DNSSEC
> enabled
> +		dig @${ns} +dnssec SOA ${TEST_DOMAIN} $@ | awk -F: '/\;\;\
> flags\:/ { s=1; if (/\ ad/) s=0; exit s }'
> +	fi
>  }
>  
>  # Checks if we can retrieve the DNSKEY for this domain.