On Sat, Feb 25, 2017 at 05:55:36PM +0100, Jeremie Courreges-Anglas wrote: > > This flag is useful for software that wants to rely on the resolver to > perform DNSSEC validation. Among the use cases there are DANE and SSHFP > records, and the obvious interfaces that I think are useful are > res_mkquery and getrrsetbyname. The latter still doesn't support > DNSSEC, another diff will follow. > > The first hunk is not supposed to be committed, it is only here for > basic testing (add "options dnssec" to resolv.conf). Other testing > could involve postfix or exim. > > Since RES_USE_DNSSEC now actually adds an EDNS0 OPT record to the > outgoing packet, one can be concerned with problems with resolvers out > there. Windows seems to have a way to disable EDNS0, I am not aware of > existing mechanisms elsewhere. > > Thoughts? ok?
Looks good. ok eric@ > > Index: asr/asr.c > =================================================================== > RCS file: /d/cvs/src/lib/libc/asr/asr.c,v > retrieving revision 1.56 > diff -u -p -r1.56 asr.c > --- asr/asr.c 23 Feb 2017 17:04:02 -0000 1.56 > +++ asr/asr.c 25 Feb 2017 16:04:30 -0000 > @@ -597,6 +597,8 @@ pass0(char **tok, int n, struct asr_ctx > ac->ac_options |= RES_USEVC; > else if (!strcmp(tok[i], "edns0")) > ac->ac_options |= RES_USE_EDNS0; > + else if (!strcmp(tok[i], "dnssec")) > + ac->ac_options |= RES_USE_DNSSEC; > else if ((!strncmp(tok[i], "ndots:", 6))) { > e = NULL; > d = strtonum(tok[i] + 6, 1, 16, &e); > Index: asr/asr_private.h > =================================================================== > RCS file: /d/cvs/src/lib/libc/asr/asr_private.h,v > retrieving revision 1.43 > diff -u -p -r1.43 asr_private.h > --- asr/asr_private.h 23 Feb 2017 17:04:02 -0000 1.43 > +++ asr/asr_private.h 25 Feb 2017 14:45:16 -0000 > @@ -297,7 +297,7 @@ __BEGIN_HIDDEN_DECLS > void _asr_pack_init(struct asr_pack *, char *, size_t); > int _asr_pack_header(struct asr_pack *, const struct asr_dns_header *); > int _asr_pack_query(struct asr_pack *, uint16_t, uint16_t, const char *); > -int _asr_pack_edns0(struct asr_pack *, uint16_t); > +int _asr_pack_edns0(struct asr_pack *, uint16_t, int); > void _asr_unpack_init(struct asr_unpack *, const char *, size_t); > int _asr_unpack_header(struct asr_unpack *, struct asr_dns_header *); > int _asr_unpack_query(struct asr_unpack *, struct asr_dns_query *); > Index: asr/asr_utils.c > =================================================================== > RCS file: /d/cvs/src/lib/libc/asr/asr_utils.c,v > retrieving revision 1.16 > diff -u -p -r1.16 asr_utils.c > --- asr/asr_utils.c 19 Feb 2017 12:02:30 -0000 1.16 > +++ asr/asr_utils.c 25 Feb 2017 16:06:01 -0000 > @@ -423,12 +423,19 @@ _asr_pack_query(struct asr_pack *p, uint > } > > int > -_asr_pack_edns0(struct asr_pack *p, uint16_t pktsz) > +_asr_pack_edns0(struct asr_pack *p, uint16_t pktsz, int dnssec_do) > { > + DPRINT("asr EDNS0 pktsz:%hu dnssec:%s\n", pktsz, > + dnssec_do ? "yes" : "no"); > + > pack_dname(p, ""); /* root */ > pack_u16(p, T_OPT); /* OPT */ > pack_u16(p, pktsz); /* UDP payload size */ > - pack_u32(p, 0); /* extended RCODE and flags */ > + > + /* extended RCODE and flags */ > + pack_u16(p, 0); > + pack_u16(p, dnssec_do ? DNS_MESSAGEEXTFLAG_DO : 0); > + > pack_u16(p, 0); /* RDATA len */ > > return (p->err) ? (-1) : (0); > Index: asr/res_mkquery.c > =================================================================== > RCS file: /d/cvs/src/lib/libc/asr/res_mkquery.c,v > retrieving revision 1.10 > diff -u -p -r1.10 res_mkquery.c > --- asr/res_mkquery.c 18 Feb 2017 19:23:05 -0000 1.10 > +++ asr/res_mkquery.c 25 Feb 2017 14:45:16 -0000 > @@ -61,14 +61,15 @@ res_mkquery(int op, const char *dname, i > if (ac->ac_options & RES_RECURSE) > h.flags |= RD_MASK; > h.qdcount = 1; > - if (ac->ac_options & RES_USE_EDNS0) > + if (ac->ac_options & (RES_USE_EDNS0 | RES_USE_DNSSEC)) > h.arcount = 1; > > _asr_pack_init(&p, buf, buflen); > _asr_pack_header(&p, &h); > _asr_pack_query(&p, type, class, dn); > - if (ac->ac_options & RES_USE_EDNS0) > - _asr_pack_edns0(&p, MAXPACKETSZ); > + if (ac->ac_options & (RES_USE_EDNS0 | RES_USE_DNSSEC)) > + _asr_pack_edns0(&p, MAXPACKETSZ, > + ac->ac_options & RES_USE_DNSSEC); > > _asr_ctx_unref(ac); > > Index: asr/res_send_async.c > =================================================================== > RCS file: /d/cvs/src/lib/libc/asr/res_send_async.c,v > retrieving revision 1.32 > diff -u -p -r1.32 res_send_async.c > --- asr/res_send_async.c 18 Feb 2017 22:25:13 -0000 1.32 > +++ asr/res_send_async.c 25 Feb 2017 14:45:16 -0000 > @@ -377,14 +377,15 @@ setup_query(struct asr_query *as, const > if (as->as_ctx->ac_options & RES_RECURSE) > h.flags |= RD_MASK; > h.qdcount = 1; > - if (as->as_ctx->ac_options & RES_USE_EDNS0) > + if (as->as_ctx->ac_options & (RES_USE_EDNS0 | RES_USE_DNSSEC)) > h.arcount = 1; > > _asr_pack_init(&p, as->as.dns.obuf, as->as.dns.obufsize); > _asr_pack_header(&p, &h); > _asr_pack_query(&p, type, class, dname); > - if (as->as_ctx->ac_options & RES_USE_EDNS0) > - _asr_pack_edns0(&p, MAXPACKETSZ); > + if (as->as_ctx->ac_options & (RES_USE_EDNS0 | RES_USE_DNSSEC)) > + _asr_pack_edns0(&p, MAXPACKETSZ, > + as->as_ctx->ac_options & RES_USE_DNSSEC); > if (p.err) { > DPRINT("error packing query"); > errno = EINVAL; > Index: net/resolver.3 > =================================================================== > RCS file: /d/cvs/src/lib/libc/net/resolver.3,v > retrieving revision 1.36 > diff -u -p -r1.36 resolver.3 > --- net/resolver.3 18 Feb 2017 19:23:05 -0000 1.36 > +++ net/resolver.3 20 Feb 2017 06:27:31 -0000 > @@ -199,9 +199,6 @@ uses 4096 bytes as input buffer size. > Request that the resolver uses > Domain Name System Security Extensions (DNSSEC), > as defined in RFCs 4033, 4034, and 4035. > -On > -.Ox > -this option does nothing. > .El > .Pp > The > > > -- > jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE >