summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--dns.c14
-rw-r--r--openbsd-compat/getrrsetbyname.c10
-rw-r--r--openbsd-compat/getrrsetbyname.h3
3 files changed, 21 insertions, 6 deletions
diff --git a/dns.c b/dns.c
index 630b97ae8..478c3d9c5 100644
--- a/dns.c
+++ b/dns.c
@@ -196,6 +196,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
196{ 196{
197 u_int counter; 197 u_int counter;
198 int result; 198 int result;
199 unsigned int rrset_flags = 0;
199 struct rrsetinfo *fingerprints = NULL; 200 struct rrsetinfo *fingerprints = NULL;
200 201
201 u_int8_t hostkey_algorithm; 202 u_int8_t hostkey_algorithm;
@@ -219,8 +220,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
219 return -1; 220 return -1;
220 } 221 }
221 222
223 /*
224 * Original getrrsetbyname function, found on OpenBSD for example,
225 * doesn't accept any flag and prerequisite for obtaining AD bit in
226 * DNS response is set by "options edns0" in resolv.conf.
227 *
228 * Our version is more clever and use RRSET_FORCE_EDNS0 flag.
229 */
230#ifndef HAVE_GETRRSETBYNAME
231 rrset_flags |= RRSET_FORCE_EDNS0;
232#endif
222 result = getrrsetbyname(hostname, DNS_RDATACLASS_IN, 233 result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
223 DNS_RDATATYPE_SSHFP, 0, &fingerprints); 234 DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints);
235
224 if (result) { 236 if (result) {
225 verbose("DNS lookup error: %s", dns_result_totext(result)); 237 verbose("DNS lookup error: %s", dns_result_totext(result));
226 return -1; 238 return -1;
diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c
index dc6fe0533..e061a290a 100644
--- a/openbsd-compat/getrrsetbyname.c
+++ b/openbsd-compat/getrrsetbyname.c
@@ -209,8 +209,8 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
209 goto fail; 209 goto fail;
210 } 210 }
211 211
212 /* don't allow flags yet, unimplemented */ 212 /* Allow RRSET_FORCE_EDNS0 flag only. */
213 if (flags) { 213 if ((flags & !RRSET_FORCE_EDNS0) != 0) {
214 result = ERRSET_INVAL; 214 result = ERRSET_INVAL;
215 goto fail; 215 goto fail;
216 } 216 }
@@ -226,9 +226,9 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
226#endif /* DEBUG */ 226#endif /* DEBUG */
227 227
228#ifdef RES_USE_DNSSEC 228#ifdef RES_USE_DNSSEC
229 /* turn on DNSSEC if EDNS0 is configured */ 229 /* turn on DNSSEC if required */
230 if (_resp->options & RES_USE_EDNS0) 230 if (flags & RRSET_FORCE_EDNS0)
231 _resp->options |= RES_USE_DNSSEC; 231 _resp->options |= (RES_USE_EDNS0|RES_USE_DNSSEC);
232#endif /* RES_USE_DNSEC */ 232#endif /* RES_USE_DNSEC */
233 233
234 /* make query */ 234 /* make query */
diff --git a/openbsd-compat/getrrsetbyname.h b/openbsd-compat/getrrsetbyname.h
index 1283f5506..dbbc85a2a 100644
--- a/openbsd-compat/getrrsetbyname.h
+++ b/openbsd-compat/getrrsetbyname.h
@@ -72,6 +72,9 @@
72#ifndef RRSET_VALIDATED 72#ifndef RRSET_VALIDATED
73# define RRSET_VALIDATED 1 73# define RRSET_VALIDATED 1
74#endif 74#endif
75#ifndef RRSET_FORCE_EDNS0
76# define RRSET_FORCE_EDNS0 0x0001
77#endif
75 78
76/* 79/*
77 * Return codes for getrrsetbyname() 80 * Return codes for getrrsetbyname()