summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2014-02-09 16:10:01 +0000
committerColin Watson <cjwatson@debian.org>2014-02-09 23:43:41 +0000
commitd77a569da1afcb73c6ddfc934092461eeb4edb53 (patch)
treef007d489e634963951cc5e3b0e853743032b63d6
parent7231af57ca3efb451ace1b8e056fa0e52c67654e (diff)
Force use of DNSSEC even if "options edns0" isn't in resolv.conf
This allows SSHFP DNS records to be verified if glibc 2.11 is installed. Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049 Last-Update: 2010-04-06 Patch-Name: dnssec-sshfp.patch
-rw-r--r--dns.c14
-rw-r--r--openbsd-compat/getrrsetbyname.c10
-rw-r--r--openbsd-compat/getrrsetbyname.h3
3 files changed, 21 insertions, 6 deletions
diff --git a/dns.c b/dns.c
index 630b97ae8..478c3d9c5 100644
--- a/dns.c
+++ b/dns.c
@@ -196,6 +196,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
196{ 196{
197 u_int counter; 197 u_int counter;
198 int result; 198 int result;
199 unsigned int rrset_flags = 0;
199 struct rrsetinfo *fingerprints = NULL; 200 struct rrsetinfo *fingerprints = NULL;
200 201
201 u_int8_t hostkey_algorithm; 202 u_int8_t hostkey_algorithm;
@@ -219,8 +220,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
219 return -1; 220 return -1;
220 } 221 }
221 222
223 /*
224 * Original getrrsetbyname function, found on OpenBSD for example,
225 * doesn't accept any flag and prerequisite for obtaining AD bit in
226 * DNS response is set by "options edns0" in resolv.conf.
227 *
228 * Our version is more clever and use RRSET_FORCE_EDNS0 flag.
229 */
230#ifndef HAVE_GETRRSETBYNAME
231 rrset_flags |= RRSET_FORCE_EDNS0;
232#endif
222 result = getrrsetbyname(hostname, DNS_RDATACLASS_IN, 233 result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
223 DNS_RDATATYPE_SSHFP, 0, &fingerprints); 234 DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints);
235
224 if (result) { 236 if (result) {
225 verbose("DNS lookup error: %s", dns_result_totext(result)); 237 verbose("DNS lookup error: %s", dns_result_totext(result));
226 return -1; 238 return -1;
diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c
index dc6fe0533..e061a290a 100644
--- a/openbsd-compat/getrrsetbyname.c
+++ b/openbsd-compat/getrrsetbyname.c
@@ -209,8 +209,8 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
209 goto fail; 209 goto fail;
210 } 210 }
211 211
212 /* don't allow flags yet, unimplemented */ 212 /* Allow RRSET_FORCE_EDNS0 flag only. */
213 if (flags) { 213 if ((flags & !RRSET_FORCE_EDNS0) != 0) {
214 result = ERRSET_INVAL; 214 result = ERRSET_INVAL;
215 goto fail; 215 goto fail;
216 } 216 }
@@ -226,9 +226,9 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
226#endif /* DEBUG */ 226#endif /* DEBUG */
227 227
228#ifdef RES_USE_DNSSEC 228#ifdef RES_USE_DNSSEC
229 /* turn on DNSSEC if EDNS0 is configured */ 229 /* turn on DNSSEC if required */
230 if (_resp->options & RES_USE_EDNS0) 230 if (flags & RRSET_FORCE_EDNS0)
231 _resp->options |= RES_USE_DNSSEC; 231 _resp->options |= (RES_USE_EDNS0|RES_USE_DNSSEC);
232#endif /* RES_USE_DNSEC */ 232#endif /* RES_USE_DNSEC */
233 233
234 /* make query */ 234 /* make query */
diff --git a/openbsd-compat/getrrsetbyname.h b/openbsd-compat/getrrsetbyname.h
index 1283f5506..dbbc85a2a 100644
--- a/openbsd-compat/getrrsetbyname.h
+++ b/openbsd-compat/getrrsetbyname.h
@@ -72,6 +72,9 @@
72#ifndef RRSET_VALIDATED 72#ifndef RRSET_VALIDATED
73# define RRSET_VALIDATED 1 73# define RRSET_VALIDATED 1
74#endif 74#endif
75#ifndef RRSET_FORCE_EDNS0
76# define RRSET_FORCE_EDNS0 0x0001
77#endif
75 78
76/* 79/*
77 * Return codes for getrrsetbyname() 80 * Return codes for getrrsetbyname()