From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH v2] test if nameservers with DNSSEC support return
 "ad"-flagged data
Date: Mon, 05 Mar 2018 15:22:31 +0000
Message-ID: <1520263351.11896.92.camel@ipfire.org>
In-Reply-To: <20180304182652.067d606e.peter.mueller@link38.eu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7081237019876156674=="
List-Id: <development.lists.ipfire.org>

--===============7081237019876156674==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi,

okay. Merged.

-Michael

On Sun, 2018-03-04 at 18:26 +0100, Peter M=C3=BCller wrote:
> DNSSEC-validating nameservers return an "ad" (Authenticated Data)
> flag in the DNS response header. This can be used as a negative
> indicator for DNSSEC validation: In case a nameserver does not
> return the flag, but failes to look up a domain with an invalid
> signature, it does not support DNSSEC validation.
>=20
> This makes it easier to detect nameservers which do not fully
> comply to the RFCs or try to tamper DNS queries.
>=20
> See bug #11595 (https://bugzilla.ipfire.org/show_bug.cgi?id=3D11595) for fu=
rther
> details.
>=20
> The second version of this patch avoids unnecessary usage of
> grep. Thanks to Michael Tremer for the hint.
>=20
> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)link38.eu>
> ---
>  src/initscripts/system/unbound | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
>=20
> diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound
> index a46999992..dcb9653ee 100644
> --- a/src/initscripts/system/unbound
> +++ b/src/initscripts/system/unbound
> @@ -378,7 +378,12 @@ ns_is_validating() {
>  	local ns=3D${1}
>  	shift
> =20
> -	dig @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL
> +	if ! dig @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL; then
> +		return 1
> +	else
> +		# Determine if NS replies with "ad" data flag if DNSSEC
> enabled
> +		dig @${ns} +dnssec SOA ${TEST_DOMAIN} $@ | awk -F: '/\;\;\
> flags\:/ { s=3D1; if (/\ ad/) s=3D0; exit s }'
> +	fi
>  }
> =20
>  # Checks if we can retrieve the DNSKEY for this domain.

--===============7081237019876156674==--