diff --git a/src/dnssec.c b/src/dnssec.c index fbbc966d..e9962852 100644 --- a/src/dnssec.c +++ b/src/dnssec.c @@ -550,11 +550,26 @@ static chain_head *add_rrset2val_chain(struct mem_funcs *mf, /* Also, try to prevent adding double rrsets */ if ( rrset->rr_class == head->rrset.rr_class && rrset->rr_type == head->rrset.rr_type - && rrset->pkt == head->rrset.pkt - && rrset->pkt_len == head->rrset.pkt_len - && _dname_equal(rrset->name, head->rrset.name)) - return NULL; + && _dname_equal(rrset->name, head->rrset.name)) { + if (rrset->pkt == head->rrset.pkt && + rrset->pkt_len == head->rrset.pkt_len) + return NULL; + else { + /* Anticipate resubmissions due to + * roadblock avoidance */ + head->rrset.pkt = rrset->pkt; + head->rrset.pkt_len = rrset->pkt_len; + return head; + } + } + + if ( rrset->rr_class == head->rrset.rr_class + && rrset->rr_type == head->rrset.rr_type + && rrset->pkt != head->rrset.pkt + && _dname_equal(rrset->name, head->rrset.name)) { + return NULL; + } for (label = labels; label < last_label; label++) { if (! _dname_is_parent(*label, head->rrset.name)) break; @@ -2416,6 +2431,7 @@ static int key_proves_nonexistance( * ========================+ * First find the closest encloser. */ + if (*rrset->name) for ( nc_name = rrset->name, ce_name = rrset->name + *rrset->name + 1 ; *ce_name ; nc_name = ce_name, ce_name += *ce_name + 1) { @@ -3029,19 +3045,50 @@ static void check_chain_complete(chain_head *chain) && !dnsreq->avoid_dnssec_roadblocks && dnsreq->netreqs[0]->dnssec_status == GETDNS_DNSSEC_BOGUS) { - int r = GETDNS_RETURN_GOOD; getdns_network_req **netreq_p, *netreq; uint64_t now_ms = 0; dnsreq->avoid_dnssec_roadblocks = 1; + dnsreq->chain->lock += 1; for ( netreq_p = dnsreq->netreqs - ; !r && (netreq = *netreq_p) + ; (netreq = *netreq_p) ; netreq_p++) { _getdns_netreq_change_state(netreq, NET_REQ_NOT_SENT); + netreq->dnssec_status = + GETDNS_DNSSEC_INDETERMINATE; netreq->owner = dnsreq; - r = _getdns_submit_netreq(netreq, &now_ms); + (void) _getdns_submit_netreq(netreq, &now_ms); + } + if (!dnsreq->dnssec_return_validation_chain) + return; + + for ( head = chain; head ; head = next ) { + next = head->next; + for ( node_count = head->node_count + , node = head->parent + ; node_count + ; node_count--, node = node->parent ) { + + if (node->dnskey_req) { + _getdns_netreq_change_state( + node->dnskey_req, + NET_REQ_NOT_SENT); + node->dnskey_req->owner-> + avoid_dnssec_roadblocks = 1; + (void) _getdns_submit_netreq( + node->dnskey_req, &now_ms); + } + if (node->ds_req) { + _getdns_netreq_change_state( + node->ds_req, NET_REQ_NOT_SENT); + node->ds_req->owner-> + avoid_dnssec_roadblocks = 1; + (void) _getdns_submit_netreq( + node->ds_req, &now_ms); + } + } } return; } @@ -3185,11 +3232,16 @@ void _getdns_get_validation_chain(getdns_dns_req *dnsreq) getdns_network_req *netreq, **netreq_p; chain_head *chain = NULL, *chain_p; - if (dnsreq->validating) + if (dnsreq->avoid_dnssec_roadblocks) { + chain = dnsreq->chain; + + } else if (dnsreq->validating) return; dnsreq->validating = 1; - for (netreq_p = dnsreq->netreqs; (netreq = *netreq_p) ; netreq_p++) { + if (dnsreq->avoid_dnssec_roadblocks && chain->lock == 0) + ; /* pass */ + else for (netreq_p = dnsreq->netreqs; (netreq = *netreq_p) ; netreq_p++) { if (! netreq->response || netreq->response_len < GLDNS_HEADER_SIZE || ( GLDNS_RCODE_WIRE(netreq->response) @@ -3217,6 +3269,9 @@ void _getdns_get_validation_chain(getdns_dns_req *dnsreq) if (chain_p->lock) chain_p->lock--; } dnsreq->chain = chain; + if (dnsreq->avoid_dnssec_roadblocks && chain->lock) + chain->lock -= 1; + check_chain_complete(chain); } else { dnsreq->validating = 0; diff --git a/src/general.c b/src/general.c index 280df08d..2420a47c 100644 --- a/src/general.c +++ b/src/general.c @@ -59,6 +59,9 @@ void _getdns_call_user_callback(getdns_dns_req *dnsreq, getdns_dict *response) { _getdns_context_clear_outbound_request(dnsreq); +#if defined(REQ_DEBUG) && REQ_DEBUG + debug_req(__FUNC__, *dnsreq->netreqs); +#endif if (dnsreq->user_callback) { dnsreq->context->processing = 1; dnsreq->user_callback(dnsreq->context, @@ -211,6 +214,7 @@ _getdns_check_dns_req_complete(getdns_dns_req *dns_req) #ifdef STUB_NATIVE_DNSSEC || (dns_req->context->resolution_type == GETDNS_RESOLUTION_STUB + && !dns_req->avoid_dnssec_roadblocks && (dns_req->dnssec_return_status || dns_req->dnssec_return_only_secure || dns_req->dnssec_return_all_statuses @@ -228,6 +232,9 @@ _getdns_check_dns_req_complete(getdns_dns_req *dns_req) NULL, NULL, (getdns_eventloop_callback) _getdns_validation_chain_timeout)); +#if defined(REQ_DEBUG) && REQ_DEBUG + debug_req("getting validation chain for ", *dns_req->netreqs); +#endif _getdns_get_validation_chain(dns_req); } else _getdns_call_user_callback( diff --git a/src/tools/getdns_query.c b/src/tools/getdns_query.c index 58fb70c6..f237585c 100644 --- a/src/tools/getdns_query.c +++ b/src/tools/getdns_query.c @@ -81,6 +81,8 @@ static uint16_t request_type = GETDNS_RRTYPE_NS; static int timeout, edns0_size, padding_blocksize; static int async = 0, interactive = 0; static enum { GENERAL, ADDRESS, HOSTNAME, SERVICE } calltype = GENERAL; +static int bogus_answers = 0; +static int check_dnssec = 0; static int get_rrtype(const char *t) { @@ -317,6 +319,7 @@ static getdns_return_t validate_chain(getdns_dict *response) break; case GETDNS_DNSSEC_BOGUS: if (verbosity) fprintf(stdout, "GETDNS_DNSSEC_BOGUS\n"); + bogus_answers += 1; break; case GETDNS_DNSSEC_INDETERMINATE: if (verbosity) fprintf(stdout, "GETDNS_DNSSEC_INDETERMINATE\n"); @@ -346,6 +349,7 @@ static getdns_return_t validate_chain(getdns_dict *response) break; case GETDNS_DNSSEC_BOGUS: if (verbosity) fprintf(stdout, "GETDNS_DNSSEC_BOGUS\n"); + bogus_answers += 1; break; case GETDNS_DNSSEC_INDETERMINATE: if (verbosity) fprintf(stdout, "GETDNS_DNSSEC_INDETERMINATE\n"); @@ -389,6 +393,14 @@ void callback(getdns_context *context, getdns_callback_type_t callback_type, if (callback_type == GETDNS_CALLBACK_COMPLETE) { if (verbosity) printf("Response code was: GOOD. Status was: Callback with ID %"PRIu64" was successful.\n", trans_id); + if (check_dnssec) { + uint32_t dnssec_status = GETDNS_DNSSEC_SECURE; + + (void )getdns_dict_get_int(response, + "/replies_tree/0/dnssec_status", &dnssec_status); + if (dnssec_status == GETDNS_DNSSEC_BOGUS) + bogus_answers += 1; + } } else if (callback_type == GETDNS_CALLBACK_CANCEL) fprintf(stderr, @@ -403,7 +415,6 @@ void callback(getdns_context *context, getdns_callback_type_t callback_type, getdns_get_errorstr_by_id(callback_type)); } getdns_dict_destroy(response); - response = NULL; } #define CONTINUE ((getdns_return_t)-2) @@ -578,6 +589,9 @@ getdns_return_t parse_args(int argc, char **argv) continue; } else if (arg[0] == '+') { + if (strncmp(arg+1, "dnssec_", 7) == 0) + check_dnssec = 1; + if (arg[1] == 's' && arg[2] == 'i' && arg[3] == 't' && (arg[4] == '=' || arg[4] == '\0')) { if ((r = set_cookie(extensions, arg+4))) { @@ -1196,6 +1210,7 @@ getdns_return_t do_the_call(void) fprintf( stdout, "%s\n", response_str); if (verbosity) fprintf( stdout, "SYNC call completed.\n"); + validate_chain(response); free(response_str); } else { @@ -1208,8 +1223,18 @@ getdns_return_t do_the_call(void) if (verbosity) fprintf(stdout, "Response code was: GOOD. Status was: %s\n", getdns_get_errorstr_by_id(status)); - if (response) + if (response) { + if (check_dnssec) { + uint32_t dnssec_status = GETDNS_DNSSEC_SECURE; + + (void )getdns_dict_get_int(response, + "/replies_tree/0/dnssec_status", + &dnssec_status); + if (dnssec_status == GETDNS_DNSSEC_BOGUS) + bogus_answers += 1; + } getdns_dict_destroy(response); + } } getdns_dict_destroy(address); return r; @@ -1790,5 +1815,7 @@ done_destroy_context: if (!i_am_stubby && verbosity) fprintf(stdout, "\nAll done.\n"); - return r; + return r ? r + : bogus_answers ? GETDNS_DNSSEC_BOGUS + : GETDNS_RETURN_GOOD; }