From fd7ec068efd590c0393a612599a4fab9bb0a8633 Mon Sep 17 00:00:00 2001 From: Rich Felker Date: Mon, 18 May 2020 21:17:34 -0400 Subject: [PATCH] set AD bit in dns queries, suppress for internal use the AD (authenticated data) bit in outgoing dns queries is defined by rfc3655 to request that the nameserver report (via the same bit in the response) whether the result is authenticated by DNSSEC. while all results returned by a DNSSEC conforming nameserver will be either authenticated or cryptographically proven to lack DNSSEC protection, for some applications it's necessary to be able to distinguish these two cases. in particular, conforming and compatible handling of DANE (TLSA) records requires enforcing them only in signed zones. when the AD bit was first defined for queries, there were reports of compatibility problems with broken firewalls and nameservers dropping queries with it set. these problems are probably a thing of the past, and broken nameservers are already unsupported. however, since there is no use in the AD bit with the netdb.h interfaces, explicitly clear it in the queries they make. this ensures that, even with broken setups, the standard functions will work, and at most the res_* functions break. --- src/network/getnameinfo.c | 1 + src/network/lookup_name.c | 1 + src/network/res_mkquery.c | 1 + 3 files changed, 3 insertions(+) diff --git a/src/network/getnameinfo.c b/src/network/getnameinfo.c index f77e73ad..949e1811 100644 --- a/src/network/getnameinfo.c +++ b/src/network/getnameinfo.c @@ -158,6 +158,7 @@ int getnameinfo(const struct sockaddr *restrict sa, socklen_t sl, unsigned char query[18+PTR_MAX], reply[512]; int qlen = __res_mkquery(0, ptr, 1, RR_PTR, 0, 0, 0, query, sizeof query); + query[3] = 0; /* don't need AD flag */ int rlen = __res_send(query, qlen, reply, sizeof reply); buf[0] = 0; if (rlen > 0) diff --git a/src/network/lookup_name.c b/src/network/lookup_name.c index c93263a9..c4d994a1 100644 --- a/src/network/lookup_name.c +++ b/src/network/lookup_name.c @@ -149,6 +149,7 @@ static int name_from_dns(struct address buf[static MAXADDRS], char canon[static 0, 0, 0, qbuf[nq], sizeof *qbuf); if (qlens[nq] == -1) return EAI_NONAME; + qbuf[nq][3] = 0; /* don't need AD flag */ nq++; } } diff --git a/src/network/res_mkquery.c b/src/network/res_mkquery.c index 6fa04a5c..33f50cb9 100644 --- a/src/network/res_mkquery.c +++ b/src/network/res_mkquery.c @@ -20,6 +20,7 @@ int __res_mkquery(int op, const char *dname, int class, int type, /* Construct query template - ID will be filled later */ memset(q, 0, n); q[2] = op*8 + 1; + q[3] = 32; /* AD */ q[5] = 1; memcpy((char *)q+13, dname, l); for (i=13; q[i]; i=j+1) { -- 2.25.1