-
-
Notifications
You must be signed in to change notification settings - Fork 1.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
dnsmasq: add fix related to DNSSEC verification from upstream
To find the DS record for a given zone the parent zone's nameserver must be queried and not the nameserver for the zone. Otherwise DNSSEC verification for unsigned delegations breaks. Signed-off-by: Uwe Kleine-König <[email protected]> Link: https://patchwork.ozlabs.org/project/openwrt/patch/[email protected]/ Signed-off-by: Hauke Mehrtens <[email protected]> (cherry picked from commit 6dc0f0c)
- Loading branch information
Showing
2 changed files
with
99 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
98 changes: 98 additions & 0 deletions
98
package/network/services/dnsmasq/patches/0003-Handle-DS-queries-to-auth-zones.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,98 @@ | ||
| From 8ce27433f8b2e17c557cb55e4f16941d309deeac Mon Sep 17 00:00:00 2001 | ||
| From: Simon Kelley <[email protected]> | ||
| Date: Fri, 17 Jan 2025 17:49:29 +0000 | ||
| Subject: [PATCH] Handle DS queries to auth zones. | ||
| Origin: upstream, v2.91test8 | ||
|
|
||
| When dnsmasq is configured to act as an authoritative server and has | ||
| an authoritative zone configured, and recieves a query for | ||
| that zone _as_forwarder_ it answers the query directly rather | ||
| than forwarding it. This doesn't affect the answer, but it | ||
| saves dnsmasq forwarding the query to the recusor upstream, | ||
| whch then bounces it back to dnsmasq in auth mode. The | ||
| exception should be when the query is for the root of zone, for a DS | ||
| RR. The answer to that has to come from the parent, via the | ||
| recursor, and will typically be a proof-of-nonexistence since | ||
| dnsmasq doesn't support signed zones. This patch suppresses | ||
| local answers and forces forwarding to the upstream recursor | ||
| for such queries. It stops breakage when a DNSSEC validating | ||
| client makes queries to dnsmasq acting as forwarder for a zone | ||
| for which it is authoritative. | ||
|
|
||
| [ukleinek: drop changes to CHANGELOG to prevent conflicts] | ||
| --- | ||
| src/forward.c | 52 +++++++++++++++++++++++++++++++++++++-------------- | ||
| 1 file changed, 38 insertions(+), 14 deletions(-) | ||
|
|
||
| --- a/src/forward.c | ||
| +++ b/src/forward.c | ||
| @@ -1744,15 +1744,27 @@ void receive_query(struct listener *list | ||
| #endif | ||
|
|
||
| #ifdef HAVE_AUTH | ||
| - /* find queries for zones we're authoritative for, and answer them directly */ | ||
| + /* Find queries for zones we're authoritative for, and answer them directly. | ||
| + The exception to this is DS queries for the zone route. They | ||
| + have to come from the parent zone. Since dnsmasq's auth server | ||
| + can't do DNSSEC, the zone will be unsigned, and anything using | ||
| + dnsmasq as a forwarder and doing validation will be expecting to | ||
| + see the proof of non-existence from the parent. */ | ||
| if (!auth_dns && !option_bool(OPT_LOCALISE)) | ||
| for (zone = daemon->auth_zones; zone; zone = zone->next) | ||
| - if (in_zone(zone, daemon->namebuff, NULL)) | ||
| - { | ||
| - auth_dns = 1; | ||
| - local_auth = 1; | ||
| - break; | ||
| - } | ||
| + { | ||
| + char *cut; | ||
| + | ||
| + if (in_zone(zone, daemon->namebuff, &cut)) | ||
| + { | ||
| + if (type != T_DS || cut) | ||
| + { | ||
| + auth_dns = 1; | ||
| + local_auth = 1; | ||
| + } | ||
| + break; | ||
| + } | ||
| + } | ||
| #endif | ||
|
|
||
| #ifdef HAVE_LOOP | ||
| @@ -2268,15 +2280,27 @@ unsigned char *tcp_request(int confd, ti | ||
| &peer_addr, auth_dns ? "auth" : "query", qtype); | ||
|
|
||
| #ifdef HAVE_AUTH | ||
| - /* find queries for zones we're authoritative for, and answer them directly */ | ||
| + /* Find queries for zones we're authoritative for, and answer them directly. | ||
| + The exception to this is DS queries for the zone route. They | ||
| + have to come from the parent zone. Since dnsmasq's auth server | ||
| + can't do DNSSEC, the zone will be unsigned, and anything using | ||
| + dnsmasq as a forwarder and doing validation will be expecting to | ||
| + see the proof of non-existence from the parent. */ | ||
| if (!auth_dns && !option_bool(OPT_LOCALISE)) | ||
| for (zone = daemon->auth_zones; zone; zone = zone->next) | ||
| - if (in_zone(zone, daemon->namebuff, NULL)) | ||
| - { | ||
| - auth_dns = 1; | ||
| - local_auth = 1; | ||
| - break; | ||
| - } | ||
| + { | ||
| + char *cut; | ||
| + | ||
| + if (in_zone(zone, daemon->namebuff, &cut)) | ||
| + { | ||
| + if (qtype != T_DS || cut) | ||
| + { | ||
| + auth_dns = 1; | ||
| + local_auth = 1; | ||
| + } | ||
| + break; | ||
| + } | ||
| + } | ||
| #endif | ||
| } | ||
| } |