[PATCH] test if nameservers with DNSSEC support return "ad"-flagged data

["Peter Müller" <peter.mueller@link38.eu>]

[-- Attachment #1: Type: text/plain, Size: 1378 bytes --]

DNSSEC-validating nameservers return an "ad" (Authenticated Data)
flag in the DNS response header. This can be used as a negative
indicator for DNSSEC validation: In case a nameserver does not
return the flag, but failes to look up a domain with an invalid
signature, it does not support DNSSEC validation.

This makes it easier to detect nameservers which do not fully
comply to the RFCs or try to tamper DNS queries.

See bug #11595 (https://bugzilla.ipfire.org/show_bug.cgi?id=11595) for further details.

Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
---
 src/initscripts/system/unbound | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound
index 4e7e63e5f..410631f86 100644
--- a/src/initscripts/system/unbound
+++ b/src/initscripts/system/unbound
@@ -364,7 +364,12 @@ ns_is_validating() {
 	local ns=${1}
 	shift
 
-	dig @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL
+	if ! dig @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL; then
+		return 1
+	else
+		# Determine if NS replies with "ad" data flag if DNSSEC enabled
+		dig @${ns} +dnssec SOA ${TEST_DOMAIN} $@ | grep "\;\;\ flags:" | awk -F\: '{ print $2 }' | awk -F\; '{ print $1 }' | grep -q "\ ad"
+	fi
 }
 
 # Checks if we can retrieve the DNSKEY for this domain.
-- 
2.13.6