mirror of https://github.com/getdnsapi/getdns.git
Merge branch 'features/dnssec_extension' into develop
This commit is contained in:
Willem Toorop
commit
5986d0497f
|
|
@ -1,4 +1,7 @@
|
||||||
* 2018-0?-??: Version 1.4.3
|
* 2018-??-??: Version 1.4.3
|
||||||
|
* RFE #408: A "dnssec" extension that requires DNSSEC
|
||||||
|
verification. When this extension is set, Indeterminate
|
||||||
|
DNSSEC status will noging be returned.
|
||||||
* Issue #410: Unspecified ownership of get_api_information()
|
* Issue #410: Unspecified ownership of get_api_information()
|
||||||
* Fix for DNSSEC bug in finding most specific key when
|
* Fix for DNSSEC bug in finding most specific key when
|
||||||
trust anchor proves non-existance of one of the labels
|
trust anchor proves non-existance of one of the labels
|
||||||
|
|
|
||||||
|
|
@ -1655,6 +1655,7 @@ getdns_context_create_with_extended_memory_functions(
|
||||||
result->header = NULL;
|
result->header = NULL;
|
||||||
result->add_opt_parameters = NULL;
|
result->add_opt_parameters = NULL;
|
||||||
result->add_warning_for_bad_dns = 0;
|
result->add_warning_for_bad_dns = 0;
|
||||||
|
result->dnssec = 0;
|
||||||
result->dnssec_return_all_statuses = 0;
|
result->dnssec_return_all_statuses = 0;
|
||||||
result->dnssec_return_full_validation_chain = 0;
|
result->dnssec_return_full_validation_chain = 0;
|
||||||
result->dnssec_return_only_secure = 0;
|
result->dnssec_return_only_secure = 0;
|
||||||
|
|
@ -4129,6 +4130,10 @@ _get_context_settings(getdns_context* context)
|
||||||
result, "dnssec_return_full_validation_chain",
|
result, "dnssec_return_full_validation_chain",
|
||||||
context->dnssec_return_full_validation_chain ? GETDNS_EXTENSION_TRUE
|
context->dnssec_return_full_validation_chain ? GETDNS_EXTENSION_TRUE
|
||||||
: GETDNS_EXTENSION_FALSE);
|
: GETDNS_EXTENSION_FALSE);
|
||||||
|
(void)getdns_dict_set_int(
|
||||||
|
result, "dnssec",
|
||||||
|
context->dnssec ? GETDNS_EXTENSION_TRUE : GETDNS_EXTENSION_FALSE);
|
||||||
|
|
||||||
(void)getdns_dict_set_int(
|
(void)getdns_dict_set_int(
|
||||||
result, "dnssec_return_only_secure",
|
result, "dnssec_return_only_secure",
|
||||||
context->dnssec_return_only_secure ? GETDNS_EXTENSION_TRUE
|
context->dnssec_return_only_secure ? GETDNS_EXTENSION_TRUE
|
||||||
|
|
@ -4974,6 +4979,7 @@ _getdns_context_config_setting(getdns_context *context,
|
||||||
/**** ****/
|
/**** ****/
|
||||||
/**************************************/
|
/**************************************/
|
||||||
EXTENSION_SETTING_BOOL(add_warning_for_bad_dns)
|
EXTENSION_SETTING_BOOL(add_warning_for_bad_dns)
|
||||||
|
EXTENSION_SETTING_BOOL(dnssec)
|
||||||
EXTENSION_SETTING_BOOL(dnssec_return_all_statuses)
|
EXTENSION_SETTING_BOOL(dnssec_return_all_statuses)
|
||||||
EXTENSION_SETTING_BOOL(dnssec_return_full_validation_chain)
|
EXTENSION_SETTING_BOOL(dnssec_return_full_validation_chain)
|
||||||
EXTENSION_SETTING_BOOL(dnssec_return_only_secure)
|
EXTENSION_SETTING_BOOL(dnssec_return_only_secure)
|
||||||
|
|
|
||||||
|
|
@ -442,6 +442,7 @@ struct getdns_context {
|
||||||
getdns_dict *header;
|
getdns_dict *header;
|
||||||
getdns_dict *add_opt_parameters;
|
getdns_dict *add_opt_parameters;
|
||||||
unsigned add_warning_for_bad_dns : 1;
|
unsigned add_warning_for_bad_dns : 1;
|
||||||
|
unsigned dnssec : 1;
|
||||||
unsigned dnssec_return_all_statuses : 1;
|
unsigned dnssec_return_all_statuses : 1;
|
||||||
unsigned dnssec_return_full_validation_chain : 1;
|
unsigned dnssec_return_full_validation_chain : 1;
|
||||||
unsigned dnssec_return_only_secure : 1;
|
unsigned dnssec_return_only_secure : 1;
|
||||||
|
|
|
||||||
|
|
@ -1083,6 +1083,7 @@ getdns_pp_dict(gldns_buffer * buf, size_t indent,
|
||||||
|
|
||||||
/* extensions */
|
/* extensions */
|
||||||
strcmp(item->node.key, "add_warning_for_bad_dns") == 0 ||
|
strcmp(item->node.key, "add_warning_for_bad_dns") == 0 ||
|
||||||
|
strcmp(item->node.key, "dnssec") == 0 ||
|
||||||
strcmp(item->node.key, "dnssec_return_all_statuses") == 0 ||
|
strcmp(item->node.key, "dnssec_return_all_statuses") == 0 ||
|
||||||
strcmp(item->node.key, "dnssec_return_full_validation_chain") == 0 ||
|
strcmp(item->node.key, "dnssec_return_full_validation_chain") == 0 ||
|
||||||
strcmp(item->node.key, "dnssec_return_only_secure") == 0 ||
|
strcmp(item->node.key, "dnssec_return_only_secure") == 0 ||
|
||||||
|
|
|
||||||
|
|
@ -218,12 +218,14 @@ _getdns_check_dns_req_complete(getdns_dns_req *dns_req)
|
||||||
&& !dns_req->avoid_dnssec_roadblocks
|
&& !dns_req->avoid_dnssec_roadblocks
|
||||||
&& (dns_req->dnssec_return_status ||
|
&& (dns_req->dnssec_return_status ||
|
||||||
dns_req->dnssec_return_only_secure ||
|
dns_req->dnssec_return_only_secure ||
|
||||||
|
dns_req->dnssec ||
|
||||||
dns_req->dnssec_return_all_statuses
|
dns_req->dnssec_return_all_statuses
|
||||||
))
|
))
|
||||||
#endif
|
#endif
|
||||||
|| ( dns_req->context->resolution_type == GETDNS_RESOLUTION_RECURSING
|
|| ( dns_req->context->resolution_type == GETDNS_RESOLUTION_RECURSING
|
||||||
&& (dns_req->dnssec_return_status ||
|
&& (dns_req->dnssec_return_status ||
|
||||||
dns_req->dnssec_return_only_secure ||
|
dns_req->dnssec_return_only_secure ||
|
||||||
|
dns_req->dnssec ||
|
||||||
dns_req->dnssec_return_all_statuses)
|
dns_req->dnssec_return_all_statuses)
|
||||||
&& _getdns_bogus(dns_req))
|
&& _getdns_bogus(dns_req))
|
||||||
)) {
|
)) {
|
||||||
|
|
@ -423,6 +425,7 @@ _getdns_submit_netreq(getdns_network_req *netreq, uint64_t *now_ms)
|
||||||
if ( context->resolution_type == GETDNS_RESOLUTION_RECURSING
|
if ( context->resolution_type == GETDNS_RESOLUTION_RECURSING
|
||||||
|| dns_req->dnssec_return_status
|
|| dns_req->dnssec_return_status
|
||||||
|| dns_req->dnssec_return_only_secure
|
|| dns_req->dnssec_return_only_secure
|
||||||
|
|| dns_req->dnssec
|
||||||
|| dns_req->dnssec_return_all_statuses
|
|| dns_req->dnssec_return_all_statuses
|
||||||
|| dns_req->dnssec_return_validation_chain) {
|
|| dns_req->dnssec_return_validation_chain) {
|
||||||
#endif
|
#endif
|
||||||
|
|
@ -503,6 +506,7 @@ validate_extensions(const getdns_dict * extensions)
|
||||||
static getdns_extension_format extformats[] = {
|
static getdns_extension_format extformats[] = {
|
||||||
{"add_opt_parameters" , t_dict, 1},
|
{"add_opt_parameters" , t_dict, 1},
|
||||||
{"add_warning_for_bad_dns" , t_int , 1},
|
{"add_warning_for_bad_dns" , t_int , 1},
|
||||||
|
{"dnssec" , t_int , 1},
|
||||||
{"dnssec_return_all_statuses" , t_int , 1},
|
{"dnssec_return_all_statuses" , t_int , 1},
|
||||||
{"dnssec_return_full_validation_chain", t_int , 1},
|
{"dnssec_return_full_validation_chain", t_int , 1},
|
||||||
{"dnssec_return_only_secure" , t_int , 1},
|
{"dnssec_return_only_secure" , t_int , 1},
|
||||||
|
|
|
||||||
|
|
@ -702,6 +702,9 @@ _getdns_dns_req_new(getdns_context *context, getdns_eventloop *loop,
|
||||||
const char *name, uint16_t request_type, const getdns_dict *extensions,
|
const char *name, uint16_t request_type, const getdns_dict *extensions,
|
||||||
uint64_t *now_ms)
|
uint64_t *now_ms)
|
||||||
{
|
{
|
||||||
|
int dnssec = is_extension_set(
|
||||||
|
extensions, "dnssec",
|
||||||
|
context->dnssec);
|
||||||
int dnssec_return_status = is_extension_set(
|
int dnssec_return_status = is_extension_set(
|
||||||
extensions, "dnssec_return_status",
|
extensions, "dnssec_return_status",
|
||||||
context->dnssec_return_status);
|
context->dnssec_return_status);
|
||||||
|
|
@ -728,7 +731,7 @@ _getdns_dns_req_new(getdns_context *context, getdns_eventloop *loop,
|
||||||
|| is_extension_set(extensions, "dnssec_roadblock_avoidance",
|
|| is_extension_set(extensions, "dnssec_roadblock_avoidance",
|
||||||
context->dnssec_roadblock_avoidance);
|
context->dnssec_roadblock_avoidance);
|
||||||
#endif
|
#endif
|
||||||
int dnssec_extension_set = dnssec_return_status
|
int dnssec_extension_set = dnssec || dnssec_return_status
|
||||||
|| dnssec_return_only_secure || dnssec_return_all_statuses
|
|| dnssec_return_only_secure || dnssec_return_all_statuses
|
||||||
|| dnssec_return_validation_chain
|
|| dnssec_return_validation_chain
|
||||||
|| dnssec_return_full_validation_chain
|
|| dnssec_return_full_validation_chain
|
||||||
|
|
@ -776,6 +779,7 @@ _getdns_dns_req_new(getdns_context *context, getdns_eventloop *loop,
|
||||||
int opportunistic = 0;
|
int opportunistic = 0;
|
||||||
|
|
||||||
if (extensions == no_dnssec_checking_disabled_opportunistic) {
|
if (extensions == no_dnssec_checking_disabled_opportunistic) {
|
||||||
|
dnssec = 0;
|
||||||
dnssec_return_status = 0;
|
dnssec_return_status = 0;
|
||||||
dnssec_return_only_secure = 0;
|
dnssec_return_only_secure = 0;
|
||||||
dnssec_return_all_statuses = 0;
|
dnssec_return_all_statuses = 0;
|
||||||
|
|
@ -956,6 +960,7 @@ _getdns_dns_req_new(getdns_context *context, getdns_eventloop *loop,
|
||||||
result->context = context;
|
result->context = context;
|
||||||
result->loop = loop;
|
result->loop = loop;
|
||||||
result->trans_id = (uint64_t) (intptr_t) result;
|
result->trans_id = (uint64_t) (intptr_t) result;
|
||||||
|
result->dnssec = dnssec;
|
||||||
result->dnssec_return_status = dnssec_return_status;
|
result->dnssec_return_status = dnssec_return_status;
|
||||||
result->dnssec_return_only_secure = dnssec_return_only_secure;
|
result->dnssec_return_only_secure = dnssec_return_only_secure;
|
||||||
result->dnssec_return_all_statuses = dnssec_return_all_statuses;
|
result->dnssec_return_all_statuses = dnssec_return_all_statuses;
|
||||||
|
|
|
||||||
|
|
@ -183,6 +183,7 @@ print_usage(FILE *out, const char *progname)
|
||||||
fprintf(out, "\ntsig spec: [<algorithm>:]<name>:<secret in Base64>\n");
|
fprintf(out, "\ntsig spec: [<algorithm>:]<name>:<secret in Base64>\n");
|
||||||
fprintf(out, "\nextensions:\n");
|
fprintf(out, "\nextensions:\n");
|
||||||
fprintf(out, "\t+add_warning_for_bad_dns\n");
|
fprintf(out, "\t+add_warning_for_bad_dns\n");
|
||||||
|
fprintf(out, "\t+dnssec\n");
|
||||||
fprintf(out, "\t+dnssec_return_status\n");
|
fprintf(out, "\t+dnssec_return_status\n");
|
||||||
fprintf(out, "\t+dnssec_return_only_secure\n");
|
fprintf(out, "\t+dnssec_return_only_secure\n");
|
||||||
fprintf(out, "\t+dnssec_return_all_statuses\n");
|
fprintf(out, "\t+dnssec_return_all_statuses\n");
|
||||||
|
|
|
||||||
|
|
@ -299,6 +299,7 @@ typedef struct getdns_dns_req {
|
||||||
unsigned suffix_appended : 1;
|
unsigned suffix_appended : 1;
|
||||||
|
|
||||||
/* request extensions */
|
/* request extensions */
|
||||||
|
unsigned dnssec : 1;
|
||||||
unsigned dnssec_return_status : 1;
|
unsigned dnssec_return_status : 1;
|
||||||
unsigned dnssec_return_only_secure : 1;
|
unsigned dnssec_return_only_secure : 1;
|
||||||
unsigned dnssec_return_all_statuses : 1;
|
unsigned dnssec_return_all_statuses : 1;
|
||||||
|
|
|
||||||
|
|
@ -1133,7 +1133,8 @@ _getdns_create_getdns_response(getdns_dns_req *completed_request)
|
||||||
if (!(result = getdns_dict_create_with_context(context)))
|
if (!(result = getdns_dict_create_with_context(context)))
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
||||||
dnssec_return_status = completed_request->dnssec_return_status ||
|
dnssec_return_status = completed_request->dnssec ||
|
||||||
|
completed_request->dnssec_return_status ||
|
||||||
completed_request->dnssec_return_only_secure ||
|
completed_request->dnssec_return_only_secure ||
|
||||||
completed_request->dnssec_return_all_statuses
|
completed_request->dnssec_return_all_statuses
|
||||||
#ifdef DNSSEC_ROADBLOCK_AVOIDANCE
|
#ifdef DNSSEC_ROADBLOCK_AVOIDANCE
|
||||||
|
|
@ -1210,6 +1211,9 @@ _getdns_create_getdns_response(getdns_dns_req *completed_request)
|
||||||
else if (completed_request->dnssec_return_only_secure
|
else if (completed_request->dnssec_return_only_secure
|
||||||
&& netreq->dnssec_status != GETDNS_DNSSEC_SECURE)
|
&& netreq->dnssec_status != GETDNS_DNSSEC_SECURE)
|
||||||
continue;
|
continue;
|
||||||
|
else if (completed_request->dnssec &&
|
||||||
|
netreq->dnssec_status == GETDNS_DNSSEC_INDETERMINATE)
|
||||||
|
continue;
|
||||||
else if (netreq->tsig_status == GETDNS_DNSSEC_BOGUS)
|
else if (netreq->tsig_status == GETDNS_DNSSEC_BOGUS)
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
@ -1287,9 +1291,11 @@ _getdns_create_getdns_response(getdns_dns_req *completed_request)
|
||||||
if (getdns_dict_set_int(result, GETDNS_STR_KEY_STATUS,
|
if (getdns_dict_set_int(result, GETDNS_STR_KEY_STATUS,
|
||||||
completed_request->request_timed_out ||
|
completed_request->request_timed_out ||
|
||||||
nreplies == 0 ? GETDNS_RESPSTATUS_ALL_TIMEOUT :
|
nreplies == 0 ? GETDNS_RESPSTATUS_ALL_TIMEOUT :
|
||||||
completed_request->dnssec_return_only_secure && nsecure == 0 && ninsecure > 0
|
( completed_request->dnssec_return_only_secure
|
||||||
|
|| completed_request->dnssec ) && nsecure == 0 && ninsecure > 0
|
||||||
? GETDNS_RESPSTATUS_NO_SECURE_ANSWERS :
|
? GETDNS_RESPSTATUS_NO_SECURE_ANSWERS :
|
||||||
completed_request->dnssec_return_only_secure && nsecure == 0 && nbogus > 0
|
( completed_request->dnssec_return_only_secure
|
||||||
|
|| completed_request->dnssec ) && nsecure == 0 && nbogus > 0
|
||||||
? GETDNS_RESPSTATUS_ALL_BOGUS_ANSWERS :
|
? GETDNS_RESPSTATUS_ALL_BOGUS_ANSWERS :
|
||||||
nanswers == 0 ? GETDNS_RESPSTATUS_NO_NAME
|
nanswers == 0 ? GETDNS_RESPSTATUS_NO_NAME
|
||||||
: GETDNS_RESPSTATUS_GOOD))
|
: GETDNS_RESPSTATUS_GOOD))
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue