From 1e06dfb99d3a59ef0b0a804ed1c2a590b3fab71c Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:01 +0000
Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf

This allows SSHFP DNS records to be verified if glibc 2.11 is installed.

Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup
Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
Last-Update: 2010-04-06

Patch-Name: dnssec-sshfp.patch
---
 openbsd-compat/getrrsetbyname.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'openbsd-compat/getrrsetbyname.c')

diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c
index dc6fe0533..e061a290a 100644
--- a/openbsd-compat/getrrsetbyname.c
+++ b/openbsd-compat/getrrsetbyname.c
@@ -209,8 +209,8 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
 		goto fail;
 	}
 
-	/* don't allow flags yet, unimplemented */
-	if (flags) {
+	/* Allow RRSET_FORCE_EDNS0 flag only. */
+	if ((flags & !RRSET_FORCE_EDNS0) != 0) {
 		result = ERRSET_INVAL;
 		goto fail;
 	}
@@ -226,9 +226,9 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
 #endif /* DEBUG */
 
 #ifdef RES_USE_DNSSEC
-	/* turn on DNSSEC if EDNS0 is configured */
-	if (_resp->options & RES_USE_EDNS0)
-		_resp->options |= RES_USE_DNSSEC;
+	/* turn on DNSSEC if required  */
+	if (flags & RRSET_FORCE_EDNS0)
+		_resp->options |= (RES_USE_EDNS0|RES_USE_DNSSEC);
 #endif /* RES_USE_DNSEC */
 
 	/* make query */
-- 
cgit v1.2.3