shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2024-12-26 03:22:00 +03:00
Code

resolved: set the AA bit for synthetic answers

Browse Source 
The stub DNS server is authoritative for the RRs we synthesize, such as
localhost, _gateway, and entries from /etc/hosts, and also for trust anchors.

Partially fixes https://github.com/systemd/systemd/issues/17972
This commit is contained in:
Sergey Bugaev 2021-02-13 17:09:09 +03:00
parent b332778b30
commit 4ad017cda5
3 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/resolve/resolved-dns-query.c
View File

@ -1140,3 +1140,10 @@ bool dns_query_fully_confidential(DnsQuery *q) {
return FLAGS_SET(q->answer_query_flags, SD_RESOLVED_CONFIDENTIAL) && !q->previous_redirect_non_confidential; return FLAGS_SET(q->answer_query_flags, SD_RESOLVED_CONFIDENTIAL) && !q->previous_redirect_non_confidential;
} }
bool dns_query_fully_synthetic(DnsQuery *q) {
assert(q);
return (q->answer_query_flags & (SD_RESOLVED_SYNTHETIC | SD_RESOLVED_FROM_TRUST_ANCHOR)) &&
!(q->answer_query_flags & SD_RESOLVED_FROM_MASK & ~SD_RESOLVED_FROM_TRUST_ANCHOR);
}

1
src/resolve/resolved-dns-query.h
View File

@ -134,6 +134,7 @@ DEFINE_TRIVIAL_CLEANUP_FUNC(DnsQuery*, dns_query_free);
bool dns_query_fully_authenticated(DnsQuery *q); bool dns_query_fully_authenticated(DnsQuery *q);
bool dns_query_fully_confidential(DnsQuery *q); bool dns_query_fully_confidential(DnsQuery *q);
bool dns_query_fully_synthetic(DnsQuery *q);
static inline uint64_t dns_query_reply_flags_make(DnsQuery *q) { static inline uint64_t dns_query_reply_flags_make(DnsQuery *q) {
assert(q); assert(q);

5
src/resolve/resolved-dns-stub.c
View File

@ -428,6 +428,7 @@ static int dns_stub_finish_reply_packet(
uint16_t id, uint16_t id,
int rcode, int rcode,
bool tc, /* set the Truncated bit? */ bool tc, /* set the Truncated bit? */
bool aa, /* set the Authoritative Answer bit? */
bool add_opt, /* add an OPT RR to this packet? */ bool add_opt, /* add an OPT RR to this packet? */
bool edns0_do, /* set the EDNS0 DNSSEC OK bit? */ bool edns0_do, /* set the EDNS0 DNSSEC OK bit? */
bool ad, /* set the DNSSEC authenticated data bit? */ bool ad, /* set the DNSSEC authenticated data bit? */
@ -466,7 +467,7 @@ static int dns_stub_finish_reply_packet(
DNS_PACKET_HEADER(p)->flags = htobe16(DNS_PACKET_MAKE_FLAGS( DNS_PACKET_HEADER(p)->flags = htobe16(DNS_PACKET_MAKE_FLAGS(
1 /* qr */, 1 /* qr */,
0 /* opcode */, 0 /* opcode */,
0 /* aa */, aa /* aa */,
tc /* tc */, tc /* tc */,
1 /* rd */, 1 /* rd */,
1 /* ra */, 1 /* ra */,
@ -556,6 +557,7 @@ static int dns_stub_send_reply(
DNS_PACKET_ID(q->request_packet), DNS_PACKET_ID(q->request_packet),
rcode, rcode,
truncated, truncated,
dns_query_fully_synthetic(q),
!!q->request_packet->opt, !!q->request_packet->opt,
edns0_do, edns0_do,
DNS_PACKET_AD(q->request_packet) && dns_query_fully_authenticated(q), DNS_PACKET_AD(q->request_packet) && dns_query_fully_authenticated(q),
@ -596,6 +598,7 @@ static int dns_stub_send_failure(
DNS_PACKET_ID(p), DNS_PACKET_ID(p),
rcode, rcode,
truncated, truncated,
false,
!!p->opt, !!p->opt,
DNS_PACKET_DO(p), DNS_PACKET_DO(p),
DNS_PACKET_AD(p) && authenticated, DNS_PACKET_AD(p) && authenticated,