Force use of DNSSEC even if "options edns0" isn't in resolv.conf

This allows SSHFP DNS records to be verified if glibc 2.11 is installed.

Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup
Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
Last-Update: 2010-04-06

Patch-Name: dnssec-sshfp.patch

1 files changed, 13 insertions, 1 deletions

diff --git a/dns.c b/dns.c
index e813afeae..fce2e308f 100644
--- a/dns.c
+++ b/dns.c
@@ -206,6 +206,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
 {
         u_int counter;
         int result;
+        unsigned int rrset_flags = 0;
         struct rrsetinfo *fingerprints = NULL;
 
         u_int8_t hostkey_algorithm;
@@ -229,8 +230,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
                 return -1;
         }
 
+        /*
+         * Original getrrsetbyname function, found on OpenBSD for example,
+         * doesn't accept any flag and prerequisite for obtaining AD bit in
+         * DNS response is set by "options edns0" in resolv.conf.
+         *
+         * Our version is more clever and use RRSET_FORCE_EDNS0 flag.
+         */
+#ifndef HAVE_GETRRSETBYNAME
+        rrset_flags |= RRSET_FORCE_EDNS0;
+#endif
         result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
-            DNS_RDATATYPE_SSHFP, 0, &fingerprints);
+            DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints);
+
         if (result) {
                 verbose("DNS lookup error: %s", dns_result_totext(result));
                 return -1;