From 4fca5fe08c46c94c0dc3c798034c243d849f1203 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Mon, 14 Mar 2016 12:23:12 +0100 Subject: [PATCH] A dnssec_return_all_statuses extension that returns all all dnssec replies regardless their status. When used on its own or in combination with just dnssec_return_status, it will return BOGUS replies, but those replies will have "dnssec_status": GETDNS_DNSSEC_BOGUS The response dict "status" will be GETDNS_RESPSTATUS_GOOD then. When used on in combination with dnssec_return_only_secure, it will return BOGUS and INSECURE replies (reflected in their "dnssec_status") The response dict "status" can be any of the status that the dnssec_return_only_secure extenstion returns, so either GETDNS_RESPSTATUS_GOOD when at least one reply was secure, GETDNS_RESPSTATUS_NO_SECURE_ANSWERS when all replies were insecure, or GETDNS_RESPSTATUS_ALL_BOGUS_ANSWERS when all replies were bogus. --- src/general.c | 5 ++++- src/request-internal.c | 6 +++++- src/test/getdns_query.c | 1 + src/types-internal.h | 1 + src/util-internal.c | 6 ++++-- 5 files changed, 15 insertions(+), 4 deletions(-) diff --git a/src/general.c b/src/general.c index 777774e6..57e4a6c1 100644 --- a/src/general.c +++ b/src/general.c @@ -245,7 +245,8 @@ _getdns_check_dns_req_complete(getdns_dns_req *dns_req) #ifdef STUB_NATIVE_DNSSEC || (dns_req->context->resolution_type == GETDNS_RESOLUTION_STUB && (dns_req->dnssec_return_status || - dns_req->dnssec_return_only_secure + dns_req->dnssec_return_only_secure || + dns_req->dnssec_return_all_statuses )) #endif ) @@ -302,6 +303,7 @@ _getdns_submit_netreq(getdns_network_req *netreq) if ( dns_req->context->resolution_type == GETDNS_RESOLUTION_RECURSING || dns_req->dnssec_return_status || dns_req->dnssec_return_only_secure + || dns_req->dnssec_return_all_statuses || dns_req->dnssec_return_validation_chain) { #endif /* schedule the timeout */ @@ -362,6 +364,7 @@ validate_extensions(struct getdns_dict * extensions) static getdns_extension_format extformats[] = { {"add_opt_parameters" , t_dict, 1}, {"add_warning_for_bad_dns" , t_int , 1}, + {"dnssec_return_all_statuses" , t_int , 1}, {"dnssec_return_only_secure" , t_int , 1}, {"dnssec_return_status" , t_int , 1}, {"dnssec_return_validation_chain", t_int , 1}, diff --git a/src/request-internal.c b/src/request-internal.c index c46aa3ea..aff967fd 100644 --- a/src/request-internal.c +++ b/src/request-internal.c @@ -639,6 +639,8 @@ _getdns_dns_req_new(getdns_context *context, getdns_eventloop *loop, || is_extension_set(extensions, "dnssec_return_status"); int dnssec_return_only_secure = is_extension_set(extensions, "dnssec_return_only_secure"); + int dnssec_return_all_statuses + = is_extension_set(extensions, "dnssec_return_all_statuses"); int dnssec_return_validation_chain = is_extension_set(extensions, "dnssec_return_validation_chain"); int edns_cookies @@ -653,7 +655,8 @@ _getdns_dns_req_new(getdns_context *context, getdns_eventloop *loop, #endif int dnssec_extension_set = dnssec_return_status - || dnssec_return_only_secure || dnssec_return_validation_chain + || dnssec_return_only_secure || dnssec_return_all_statuses + || dnssec_return_validation_chain || (extensions == dnssec_ok_checking_disabled) || (extensions == dnssec_ok_checking_disabled_roadblock_avoidance) || (extensions == dnssec_ok_checking_disabled_avoid_roadblocks) @@ -850,6 +853,7 @@ _getdns_dns_req_new(getdns_context *context, getdns_eventloop *loop, ((uint64_t)arc4random()); result->dnssec_return_status = dnssec_return_status; result->dnssec_return_only_secure = dnssec_return_only_secure; + result->dnssec_return_all_statuses = dnssec_return_all_statuses; result->dnssec_return_validation_chain = dnssec_return_validation_chain; result->edns_cookies = edns_cookies; #ifdef DNSSEC_ROADBLOCK_AVOIDANCE diff --git a/src/test/getdns_query.c b/src/test/getdns_query.c index 837ed61d..45be3b00 100644 --- a/src/test/getdns_query.c +++ b/src/test/getdns_query.c @@ -471,6 +471,7 @@ print_usage(FILE *out, const char *progname) fprintf(out, "\t+add_warning_for_bad_dns\n"); fprintf(out, "\t+dnssec_return_status\n"); fprintf(out, "\t+dnssec_return_only_secure\n"); + fprintf(out, "\t+dnssec_return_all_statuses\n"); fprintf(out, "\t+dnssec_return_validation_chain\n"); #ifdef DNSSEC_ROADBLOCK_AVOIDANCE fprintf(out, "\t+dnssec_roadblock_avoidance\n"); diff --git a/src/types-internal.h b/src/types-internal.h index 38354c86..eb7bec31 100644 --- a/src/types-internal.h +++ b/src/types-internal.h @@ -286,6 +286,7 @@ typedef struct getdns_dns_req { /* request extensions */ int dnssec_return_status; int dnssec_return_only_secure; + int dnssec_return_all_statuses; int dnssec_return_validation_chain; #ifdef DNSSEC_ROADBLOCK_AVOIDANCE int dnssec_roadblock_avoidance; diff --git a/src/util-internal.c b/src/util-internal.c index dd4e816c..c7298d09 100644 --- a/src/util-internal.c +++ b/src/util-internal.c @@ -862,7 +862,8 @@ _getdns_create_getdns_response(getdns_dns_req *completed_request) return NULL; dnssec_return_status = completed_request->dnssec_return_status || - completed_request->dnssec_return_only_secure + completed_request->dnssec_return_only_secure || + completed_request->dnssec_return_all_statuses #ifdef DNSSEC_ROADBLOCK_AVOIDANCE || completed_request->dnssec_roadblock_avoidance #endif @@ -907,7 +908,8 @@ _getdns_create_getdns_response(getdns_dns_req *completed_request) nbogus++; - if (! completed_request->dnssec_return_validation_chain) { + if (! completed_request->dnssec_return_all_statuses && + ! completed_request->dnssec_return_validation_chain) { if (dnssec_return_status && netreq->dnssec_status == GETDNS_DNSSEC_BOGUS) continue;