From: "R. W. Rodolico" <rodo@dailydata.net>
To: development@lists.ipfire.org
Subject: Re: [PATCH] dnsmasq 2.75: next patch... (No.50)
Date: Tue, 19 Jan 2016 01:39:19 -0600 [thread overview]
Message-ID: <569DE827.3060207@dailydata.net> (raw)
In-Reply-To: <1453041044-26371-1-git-send-email-matthias.fischer@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 8753 bytes --]
I installed this package yesterday and dnsmasq broke a few minutes ago.
About 24 hours.
Strange thing: when I was using the servers you recommended
84.200.69.80, 84.200.70.40
I did not have any problems even though you have been updating very
frequently. However, I reverted to the old DNS servers
209.244.0.3 8.8.4.4
and in less than a few days (I think I did it with the 15th or 14th
update), it broke again. Those servers are, respectively,
resolver1.level3.net and one of the google ones.
Let me know if you want me to use the 84 DNS servers. Hell, I may just
decide to build my own caching DNS servers!!!
Rod
On 01/17/2016 08:30 AM, Matthias Fischer wrote:
> Again one latecoming patch (DNSSEC).
>
> Download:
> http://people.ipfire.org/~mfischer/dnsmasq_275_2016_01_16
> MD5: a266e4673ed7d218b0477c6b02e3ef4d
>
> This is the compiled binary, nothing more is needed.
>
> Copy to '/usr/sbin'
> Stop 'dnsmasq' (/etc/init.d/dnsmasq stop)
> Rename (don't forget backing up the *old* version!)
> Start 'dnsmasq' (/etc/init.d/dnsmasq start).
>
> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
> ---
> lfs/dnsmasq | 3 +-
> ...NSSEC_validation_with_private_DNS_servers.patch | 139 +++++++++++++++++++++
> 2 files changed, 141 insertions(+), 1 deletion(-)
> create mode 100644 src/patches/dnsmasq/050-Complete_work_to_allow_DNSSEC_validation_with_private_DNS_servers.patch
>
> diff --git a/lfs/dnsmasq b/lfs/dnsmasq
> index bdfb1f8..4e5951f 100644
> --- a/lfs/dnsmasq
> +++ b/lfs/dnsmasq
> @@ -1,7 +1,7 @@
> ###############################################################################
> # #
> # IPFire.org - A linux based firewall #
> -# Copyright (C) 2015 Michael Tremer & Christian Schmidt #
> +# Copyright (C) 2016 Michael Tremer & Christian Schmidt #
> # #
> # This program is free software: you can redistribute it and/or modify #
> # it under the terms of the GNU General Public License as published by #
> @@ -122,6 +122,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/047-Fix_bad_cache-size_calculation_when_hosts-file_read_fails.patch
> cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/048-Disable_DNSSEC_for_server_domain_servers_unless_trust-anchor_provided.patch
> cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/049-arp_c_tidy_up.patch
> + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/050-Complete_work_to_allow_DNSSEC_validation_with_private_DNS_servers.patch
> cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch
>
> cd $(DIR_APP) && sed -i src/config.h \
> diff --git a/src/patches/dnsmasq/050-Complete_work_to_allow_DNSSEC_validation_with_private_DNS_servers.patch b/src/patches/dnsmasq/050-Complete_work_to_allow_DNSSEC_validation_with_private_DNS_servers.patch
> new file mode 100644
> index 0000000..b969eee
> --- /dev/null
> +++ b/src/patches/dnsmasq/050-Complete_work_to_allow_DNSSEC_validation_with_private_DNS_servers.patch
> @@ -0,0 +1,139 @@
> +From 92be34a4077672f592d47e2991b3530305517a28 Mon Sep 17 00:00:00 2001
> +From: Simon Kelley <simon(a)thekelleys.org.uk>
> +Date: Sat, 16 Jan 2016 18:39:54 +0000
> +Subject: [PATCH] Complete work to allow DNSSEC validation with private DNS
> + servers.
> +
> +---
> + man/dnsmasq.8 | 5 ++++-
> + src/forward.c | 34 +++++++++++++++++++++++++++++++---
> + src/network.c | 33 +++++++++++++++++++--------------
> + 3 files changed, 54 insertions(+), 18 deletions(-)
> +
> +diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
> +index d51b10f..69acdae 100644
> +--- a/man/dnsmasq.8
> ++++ b/man/dnsmasq.8
> +@@ -405,7 +405,10 @@ xxx.internal.thekelleys.org.uk at 192.168.1.1 then giving the flag
> + .B -S /internal.thekelleys.org.uk/192.168.1.1
> + will send all queries for
> + internal machines to that nameserver, everything else will go to the
> +-servers in /etc/resolv.conf. An empty domain specification,
> ++servers in /etc/resolv.conf. DNSSEC validation is turned off for such
> ++private nameservers, UNLESS a
> ++.B --trust-anchor
> ++is specified for the domain in question. An empty domain specification,
> + .B //
> + has the special meaning of "unqualified names only" ie names without any
> + dots in them. A non-standard port may be specified as
> +diff --git a/src/forward.c b/src/forward.c
> +index 11c0d45..c48fd75 100644
> +--- a/src/forward.c
> ++++ b/src/forward.c
> +@@ -151,7 +151,7 @@ static unsigned int search_servers(time_t now, struct all_addr **addrpp, unsigne
> + hostname_isequal(matchstart, serv->domain) &&
> + (domainlen == 0 || namelen == domainlen || *(matchstart-1) == '.' ))
> + {
> +- if (serv->flags & SERV_NO_REBIND)
> ++ if ((serv->flags & SERV_NO_REBIND) && norebind)
> + *norebind = 1;
> + else
> + {
> +@@ -644,7 +644,7 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
> + return resize_packet(header, n, pheader, plen);
> +
> + /* Complain loudly if the upstream server is non-recursive. */
> +- if (!(header->hb4 & HB4_RA) && RCODE(header) == NOERROR && ntohs(header->ancount) == 0 &&
> ++ if (!(header->hb4 & HB4_RA) && RCODE(header) == NOERROR &&
> + server && !(server->flags & SERV_WARNED_RECURSIVE))
> + {
> + prettyprint_addr(&server->addr, daemon->namebuff);
> +@@ -923,12 +923,40 @@ void reply_query(int fd, int family, time_t now)
> + status = STAT_ABANDONED;
> + else
> + {
> +- int fd;
> ++ int fd, type;
> + struct frec *next = new->next;
> ++ char *domain;
> ++
> + *new = *forward; /* copy everything, then overwrite */
> + new->next = next;
> + new->blocking_query = NULL;
> ++
> ++ /* Find server to forward to. This will normally be the
> ++ same as for the original query, but may be another if
> ++ servers for domains are involved. */
> ++ if (search_servers(now, NULL, F_QUERY, daemon->keyname, &type, &domain, NULL) == 0)
> ++ {
> ++ struct server *start = server;
> ++ type &= ~SERV_DO_DNSSEC;
> ++
> ++ while (1)
> ++ {
> ++ if (type == (start->flags & SERV_TYPE) &&
> ++ (type != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) &&
> ++ !(start->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)))
> ++ {
> ++ server = start;
> ++ break;
> ++ }
> ++
> ++ if (!(start = start->next))
> ++ start = daemon->servers;
> ++ if (start == server)
> ++ break;
> ++ }
> ++ }
> + new->sentto = server;
> ++
> + new->rfd4 = NULL;
> + #ifdef HAVE_IPV6
> + new->rfd6 = NULL;
> +diff --git a/src/network.c b/src/network.c
> +index 303ae50..5451c6c 100644
> +--- a/src/network.c
> ++++ b/src/network.c
> +@@ -1442,20 +1442,25 @@ void check_servers(void)
> + if (!(serv->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR | SERV_USE_RESOLV | SERV_NO_REBIND)))
> + {
> + #ifdef HAVE_DNSSEC
> +- if (option_bool(OPT_DNSSEC_VALID) && (serv->flags & SERV_HAS_DOMAIN))
> +- {
> +- struct ds_config *ds;
> +- char *domain = serv->domain;
> +-
> +- /* .example.com is valid */
> +- while (*domain == '.')
> +- domain++;
> +-
> +- for (ds = daemon->ds; ds; ds = ds->next)
> +- if (ds->name[0] != 0 && hostname_isequal(domain, ds->name))
> +- break;
> +-
> +- if (!ds)
> ++ if (option_bool(OPT_DNSSEC_VALID))
> ++ {
> ++ if (serv->flags & SERV_HAS_DOMAIN)
> ++ {
> ++ struct ds_config *ds;
> ++ char *domain = serv->domain;
> ++
> ++ /* .example.com is valid */
> ++ while (*domain == '.')
> ++ domain++;
> ++
> ++ for (ds = daemon->ds; ds; ds = ds->next)
> ++ if (ds->name[0] != 0 && hostname_isequal(domain, ds->name))
> ++ break;
> ++
> ++ if (!ds)
> ++ serv->flags &= ~SERV_DO_DNSSEC;
> ++ }
> ++ else if (serv->flags & SERV_FOR_NODOTS)
> + serv->flags &= ~SERV_DO_DNSSEC;
> + }
> + #endif
> +--
> +1.7.10.4
> +
>
--
Rod Rodolico
Daily Data, Inc.
POB 140465
Dallas TX 75214-0465
214.827.2170
http://www.dailydata.net
next prev parent reply other threads:[~2016-01-19 7:39 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-17 14:30 Matthias Fischer
2016-01-19 7:39 ` R. W. Rodolico [this message]
2016-01-19 19:59 ` Matthias Fischer
2016-01-19 21:27 ` R. W. Rodolico
2016-01-20 20:29 ` Matthias Fischer
2016-01-20 18:23 ` Kienker, Fred
2016-01-20 18:58 ` R. W. Rodolico
2016-01-20 23:51 ` Michael Tremer
2016-01-21 3:39 ` R. W. Rodolico
2016-01-23 12:00 ` Matthias Fischer
2016-02-04 20:58 ` R. W. Rodolico
2016-02-04 23:50 ` Michael Tremer
2016-02-05 22:45 ` Matthias Fischer
2016-02-05 22:50 ` Kienker, Fred
2016-02-06 11:37 ` Warnings about unused variables (was: Re: [PATCH] dnsmasq 2.75: next patch... (No.50)) Matthias Fischer
2016-01-20 20:36 ` [PATCH] dnsmasq 2.75: next patch... (No.50) Matthias Fischer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=569DE827.3060207@dailydata.net \
--to=rodo@dailydata.net \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox