diff --git a/ChangeLog b/ChangeLog index 24e16bbe..92ed4920 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,8 @@ * 2017-12-??: Version 1.2.2 + * Bugfix #356: Do Zero configuration DNSSEC meta queries over on the + context configured upstreams. + * Report default extension settings with + getdns_context_get_api_information() * Specify locations at which CA certificates for verification purposes are located: getdns_context_set_CApath() getdns_context_set_CAfile() * getdns_context_set_resolvconf() function to initialize a context diff --git a/src/anchor.c b/src/anchor.c index a374ab78..31e0e6f0 100644 --- a/src/anchor.c +++ b/src/anchor.c @@ -1517,7 +1517,6 @@ void _getdns_start_fetching_ta(getdns_context *context, getdns_eventloop *loop) char tas_hostname[256]; const char *verify_CA; const char *verify_email; - getdns_context *sys_ctxt; if ((r = _getdns_get_tas_url_hostname(context, tas_hostname, NULL))) { DEBUG_ANCHOR("ERROR %s(): Could not get_tas_url_hostname" @@ -1558,19 +1557,13 @@ void _getdns_start_fetching_ta(getdns_context *context, getdns_eventloop *loop) DEBUG_ANCHOR("%s on the %ssynchronous loop\n", __FUNC__, loop == &context->sync_eventloop.loop ? "" : "a"); - if (!(sys_ctxt = _getdns_context_get_sys_ctxt(context, loop))) { - DEBUG_ANCHOR("Fatal error fetching trust anchor: " - "missing system context\n"); - context->trust_anchors_source = GETDNS_TASRC_FAILED; - _getdns_ta_notify_dnsreqs(context); - return; - } scheduled = 0; #if 1 context->a.state = TAS_LOOKUP_ADDRESSES; - if ((r = _getdns_general_loop(sys_ctxt, loop, - tas_hostname, GETDNS_RRTYPE_A, NULL, context, - &context->a.req, NULL, _tas_hostname_lookup_cb))) { + if ((r = _getdns_general_loop(context, loop, + tas_hostname, GETDNS_RRTYPE_A, + no_dnssec_checking_disabled_opportunistic, + context, &context->a.req, NULL, _tas_hostname_lookup_cb))) { DEBUG_ANCHOR("Error scheduling A lookup for %s: %s\n" , tas_hostname, getdns_get_errorstr_by_id(r)); } else @@ -1579,9 +1572,10 @@ void _getdns_start_fetching_ta(getdns_context *context, getdns_eventloop *loop) #if 1 context->aaaa.state = TAS_LOOKUP_ADDRESSES; - if ((r = _getdns_general_loop(sys_ctxt, loop, - tas_hostname, GETDNS_RRTYPE_AAAA, NULL, context, - &context->aaaa.req, NULL, _tas_hostname_lookup_cb))) { + if ((r = _getdns_general_loop(context, loop, + tas_hostname, GETDNS_RRTYPE_AAAA, + no_dnssec_checking_disabled_opportunistic, + context, &context->aaaa.req, NULL, _tas_hostname_lookup_cb))) { DEBUG_ANCHOR("Error scheduling AAAA lookup for %s: %s\n" , tas_hostname, getdns_get_errorstr_by_id(r)); } else diff --git a/src/context.c b/src/context.c index 4f3570e2..959d43d0 100644 --- a/src/context.c +++ b/src/context.c @@ -3892,6 +3892,63 @@ _get_context_settings(getdns_context* context) if (!getdns_context_get_CAfile(context, &str_value) && str_value) (void) getdns_dict_util_set_string(result, "CAfile", str_value); + /* Default settings for extensions */ + (void)getdns_dict_set_int( + result, "add_warning_for_bad_dns", + context->add_warning_for_bad_dns ? GETDNS_EXTENSION_TRUE + : GETDNS_EXTENSION_FALSE); + (void)getdns_dict_set_int( + result, "dnssec_return_all_statuses", + context->dnssec_return_all_statuses ? GETDNS_EXTENSION_TRUE + : GETDNS_EXTENSION_FALSE); + (void)getdns_dict_set_int( + result, "dnssec_return_full_validation_chain", + context->dnssec_return_full_validation_chain ? GETDNS_EXTENSION_TRUE + : GETDNS_EXTENSION_FALSE); + (void)getdns_dict_set_int( + result, "dnssec_return_only_secure", + context->dnssec_return_only_secure ? GETDNS_EXTENSION_TRUE + : GETDNS_EXTENSION_FALSE); + (void)getdns_dict_set_int( + result, "dnssec_return_status", + context->dnssec_return_status ? GETDNS_EXTENSION_TRUE + : GETDNS_EXTENSION_FALSE); + (void)getdns_dict_set_int( + result, "dnssec_return_validation_chain", + context->dnssec_return_validation_chain ? GETDNS_EXTENSION_TRUE + : GETDNS_EXTENSION_FALSE); + +#if defined(DNSSEC_ROADBLOCK_AVOIDANCE) && defined(HAVE_LIBUNBOUND) + (void)getdns_dict_set_int( + result, "dnssec_roadblock_avoidance", + context->dnssec_roadblock_avoidance ? GETDNS_EXTENSION_TRUE + : GETDNS_EXTENSION_FALSE); +#endif +#ifdef EDNS_COOKIES + (void)getdns_dict_set_int( + result, "edns_cookies", + context->edns_cookies ? GETDNS_EXTENSION_TRUE + : GETDNS_EXTENSION_FALSE); +#endif + (void)getdns_dict_set_int( + result, "return_both_v4_and_v6", + context->return_both_v4_and_v6 ? GETDNS_EXTENSION_TRUE + : GETDNS_EXTENSION_FALSE); + (void)getdns_dict_set_int( + result, "return_call_reporting", + context->return_call_reporting ? GETDNS_EXTENSION_TRUE + : GETDNS_EXTENSION_FALSE); + (void)getdns_dict_set_int(result, "specify_class", + (uint32_t)context->specify_class); + + if (context->add_opt_parameters) + (void)getdns_dict_set_dict( + result, "add_opt_parameters", context->add_opt_parameters); + + if (context->header) + (void)getdns_dict_set_dict( + result, "header", context->add_opt_parameters); + return result; error: getdns_dict_destroy(result); diff --git a/src/dict.c b/src/dict.c index 99e347ad..27ed57be 100644 --- a/src/dict.c +++ b/src/dict.c @@ -1082,7 +1082,25 @@ getdns_pp_dict(gldns_buffer * buf, size_t indent, strcmp(item->node.key, "follow_redirects") == 0 || strcmp(item->node.key, "transport") == 0 || strcmp(item->node.key, "resolution_type") == 0 || - strcmp(item->node.key, "tls_authentication") == 0 ) && + strcmp(item->node.key, "tls_authentication") == 0 || + + /* extensions */ + strcmp(item->node.key, "add_warning_for_bad_dns") == 0 || + strcmp(item->node.key, "dnssec_return_all_statuses") == 0 || + strcmp(item->node.key, "dnssec_return_full_validation_chain") == 0 || + strcmp(item->node.key, "dnssec_return_only_secure") == 0 || + strcmp(item->node.key, "dnssec_return_status") == 0 || + strcmp(item->node.key, "dnssec_return_validation_chain") == 0 || +#if defined(DNSSEC_ROADBLOCK_AVOIDANCE) && defined(HAVE_LIBUNBOUND) + strcmp(item->node.key, "dnssec_roadblock_avoidance") == 0 || +#endif +#ifdef EDNS_COOKIES + strcmp(item->node.key, "edns_cookies") == 0 || +#endif + strcmp(item->node.key, "return_api_information") == 0 || + strcmp(item->node.key, "return_both_v4_and_v6") == 0 || + strcmp(item->node.key, "return_call_reporting") == 0 + ) && (strval = _getdns_get_const_info(item->i.data.n)->name)) { if (gldns_buffer_printf(buf, " %s", strval) < 0) diff --git a/src/request-internal.c b/src/request-internal.c index b78c19ab..cc082039 100644 --- a/src/request-internal.c +++ b/src/request-internal.c @@ -84,6 +84,12 @@ getdns_dict dnssec_ok_checking_disabled_avoid_roadblocks_spc = { getdns_dict *dnssec_ok_checking_disabled_avoid_roadblocks = &dnssec_ok_checking_disabled_avoid_roadblocks_spc; +getdns_dict no_dnssec_checking_disabled_opportunistic_spc = { + { RBTREE_NULL, 0, (int (*)(const void *, const void *)) strcmp }, + { NULL, {{ NULL, NULL, NULL }}} +}; +getdns_dict *no_dnssec_checking_disabled_opportunistic + = &no_dnssec_checking_disabled_opportunistic_spc; static int is_extension_set(getdns_dict *extensions, const char *name, int default_value) @@ -94,7 +100,8 @@ is_extension_set(getdns_dict *extensions, const char *name, int default_value) if ( ! extensions || extensions == dnssec_ok_checking_disabled || extensions == dnssec_ok_checking_disabled_roadblock_avoidance - || extensions == dnssec_ok_checking_disabled_avoid_roadblocks) + || extensions == dnssec_ok_checking_disabled_avoid_roadblocks + || extensions == no_dnssec_checking_disabled_opportunistic) return 0; r = getdns_dict_get_int(extensions, name, &value); @@ -155,8 +162,8 @@ netreq_reset(getdns_network_req *net_req) static int network_req_init(getdns_network_req *net_req, getdns_dns_req *owner, - uint16_t request_type, int dnssec_extension_set, int with_opt, - int edns_maximum_udp_payload_size, + uint16_t request_type, int checking_disabled, int opportunistic, + int with_opt, int edns_maximum_udp_payload_size, uint8_t edns_extended_rcode, uint8_t edns_version, int edns_do_bit, uint16_t opt_options_size, size_t noptions, getdns_list *options, size_t wire_data_sz, size_t max_query_sz, getdns_dict *extensions) @@ -186,6 +193,7 @@ network_req_init(getdns_network_req *net_req, getdns_dns_req *owner, owner->context->tls_auth == GETDNS_AUTHENTICATION_REQUIRED && owner->context->dns_transport_count == 1 && owner->context->dns_transports[0] == GETDNS_TRANSPORT_TLS + && !opportunistic ? GETDNS_AUTHENTICATION_REQUIRED : GETDNS_AUTHENTICATION_NONE; @@ -240,7 +248,7 @@ network_req_init(getdns_network_req *net_req, getdns_dns_req *owner, _getdns_reply_dict2wire(owner->context->header, &gbuf, 1); gldns_buffer_rewind(&gbuf); _getdns_reply_dict2wire(extensions, &gbuf, 1); - if (dnssec_extension_set) /* We will do validation ourselves */ + if (checking_disabled) /* We will do validation ourselves */ GLDNS_CD_SET(net_req->query); if (with_opt) { @@ -762,8 +770,24 @@ _getdns_dns_req_new(getdns_context *context, getdns_eventloop *loop, */ size_t max_query_sz, max_response_sz, netreq_sz, dnsreq_base_sz; uint8_t *region, *suffixes; + int checking_disabled = dnssec_extension_set; + int opportunistic = 0; - if (extensions == dnssec_ok_checking_disabled || + if (extensions == no_dnssec_checking_disabled_opportunistic) { + dnssec_return_status = 0; + dnssec_return_only_secure = 0; + dnssec_return_all_statuses = 0; + dnssec_return_full_validation_chain = 0; + dnssec_return_validation_chain = 0; + dnssec_extension_set = 0; +#ifdef DNSSEC_ROADBLOCK_AVOIDANCE + dnssec_roadblock_avoidance = 0; + avoid_dnssec_roadblocks = 0; +#endif + extensions = NULL; + checking_disabled = 1; + opportunistic = 1; + } else if (extensions == dnssec_ok_checking_disabled || extensions == dnssec_ok_checking_disabled_roadblock_avoidance || extensions == dnssec_ok_checking_disabled_avoid_roadblocks) extensions = NULL; @@ -973,8 +997,8 @@ _getdns_dns_req_new(getdns_context *context, getdns_eventloop *loop, result->chain = NULL; network_req_init(result->netreqs[0], result, - request_type, dnssec_extension_set, with_opt, - edns_maximum_udp_payload_size, + request_type, checking_disabled, opportunistic, + with_opt, edns_maximum_udp_payload_size, edns_extended_rcode, edns_version, edns_do_bit, (uint16_t) opt_options_size, noptions, options, netreq_sz - sizeof(getdns_network_req), max_query_sz, @@ -984,7 +1008,7 @@ _getdns_dns_req_new(getdns_context *context, getdns_eventloop *loop, network_req_init(result->netreqs[1], result, ( request_type == GETDNS_RRTYPE_A ? GETDNS_RRTYPE_AAAA : GETDNS_RRTYPE_A ), - dnssec_extension_set, with_opt, + checking_disabled, opportunistic, with_opt, edns_maximum_udp_payload_size, edns_extended_rcode, edns_version, edns_do_bit, (uint16_t) opt_options_size, noptions, options, diff --git a/src/tools/getdns_query.c b/src/tools/getdns_query.c index 4722e07f..4601f097 100644 --- a/src/tools/getdns_query.c +++ b/src/tools/getdns_query.c @@ -1733,7 +1733,6 @@ main(int argc, char **argv) if ((r = parse_args(argc, argv)) && r != CONTINUE) goto done_destroy_context; - fprintf(stderr, "resolvconf: %s\n", resolvconf); if (resolvconf) { if ((r = getdns_context_set_resolvconf(context, resolvconf))) { fprintf(stderr, "Problem initializing with resolvconf: %d\n", (int)r); diff --git a/src/types-internal.h b/src/types-internal.h index 05589f4a..3199b134 100644 --- a/src/types-internal.h +++ b/src/types-internal.h @@ -425,6 +425,7 @@ typedef struct getdns_dns_req { extern getdns_dict *dnssec_ok_checking_disabled; extern getdns_dict *dnssec_ok_checking_disabled_roadblock_avoidance; extern getdns_dict *dnssec_ok_checking_disabled_avoid_roadblocks; +extern getdns_dict *no_dnssec_checking_disabled_opportunistic; /* dns request utils */ getdns_dns_req *_getdns_dns_req_new(getdns_context *context, getdns_eventloop *loop,