summaryrefslogtreecommitdiff
path: root/dns.c
diff options
context:
space:
mode:
Diffstat (limited to 'dns.c')
-rw-r--r--dns.c14
1 files changed, 13 insertions, 1 deletions
diff --git a/dns.c b/dns.c
index f201b602e..a406f5864 100644
--- a/dns.c
+++ b/dns.c
@@ -206,6 +206,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
206{ 206{
207 u_int counter; 207 u_int counter;
208 int result; 208 int result;
209 unsigned int rrset_flags = 0;
209 struct rrsetinfo *fingerprints = NULL; 210 struct rrsetinfo *fingerprints = NULL;
210 211
211 u_int8_t hostkey_algorithm; 212 u_int8_t hostkey_algorithm;
@@ -229,8 +230,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
229 return -1; 230 return -1;
230 } 231 }
231 232
233 /*
234 * Original getrrsetbyname function, found on OpenBSD for example,
235 * doesn't accept any flag and prerequisite for obtaining AD bit in
236 * DNS response is set by "options edns0" in resolv.conf.
237 *
238 * Our version is more clever and use RRSET_FORCE_EDNS0 flag.
239 */
240#ifndef HAVE_GETRRSETBYNAME
241 rrset_flags |= RRSET_FORCE_EDNS0;
242#endif
232 result = getrrsetbyname(hostname, DNS_RDATACLASS_IN, 243 result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
233 DNS_RDATATYPE_SSHFP, 0, &fingerprints); 244 DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints);
245
234 if (result) { 246 if (result) {
235 verbose("DNS lookup error: %s", dns_result_totext(result)); 247 verbose("DNS lookup error: %s", dns_result_totext(result));
236 return -1; 248 return -1;