mirror of
https://github.com/systemd/systemd.git
synced 2024-12-25 01:34:28 +03:00
resolved: set the AA bit for synthetic answers
The stub DNS server is authoritative for the RRs we synthesize, such as localhost, _gateway, and entries from /etc/hosts, and also for trust anchors. Partially fixes https://github.com/systemd/systemd/issues/17972
This commit is contained in:
parent
b332778b30
commit
4ad017cda5
@ -1140,3 +1140,10 @@ bool dns_query_fully_confidential(DnsQuery *q) {
|
|||||||
|
|
||||||
return FLAGS_SET(q->answer_query_flags, SD_RESOLVED_CONFIDENTIAL) && !q->previous_redirect_non_confidential;
|
return FLAGS_SET(q->answer_query_flags, SD_RESOLVED_CONFIDENTIAL) && !q->previous_redirect_non_confidential;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bool dns_query_fully_synthetic(DnsQuery *q) {
|
||||||
|
assert(q);
|
||||||
|
|
||||||
|
return (q->answer_query_flags & (SD_RESOLVED_SYNTHETIC | SD_RESOLVED_FROM_TRUST_ANCHOR)) &&
|
||||||
|
!(q->answer_query_flags & SD_RESOLVED_FROM_MASK & ~SD_RESOLVED_FROM_TRUST_ANCHOR);
|
||||||
|
}
|
||||||
|
@ -134,6 +134,7 @@ DEFINE_TRIVIAL_CLEANUP_FUNC(DnsQuery*, dns_query_free);
|
|||||||
|
|
||||||
bool dns_query_fully_authenticated(DnsQuery *q);
|
bool dns_query_fully_authenticated(DnsQuery *q);
|
||||||
bool dns_query_fully_confidential(DnsQuery *q);
|
bool dns_query_fully_confidential(DnsQuery *q);
|
||||||
|
bool dns_query_fully_synthetic(DnsQuery *q);
|
||||||
|
|
||||||
static inline uint64_t dns_query_reply_flags_make(DnsQuery *q) {
|
static inline uint64_t dns_query_reply_flags_make(DnsQuery *q) {
|
||||||
assert(q);
|
assert(q);
|
||||||
|
@ -428,6 +428,7 @@ static int dns_stub_finish_reply_packet(
|
|||||||
uint16_t id,
|
uint16_t id,
|
||||||
int rcode,
|
int rcode,
|
||||||
bool tc, /* set the Truncated bit? */
|
bool tc, /* set the Truncated bit? */
|
||||||
|
bool aa, /* set the Authoritative Answer bit? */
|
||||||
bool add_opt, /* add an OPT RR to this packet? */
|
bool add_opt, /* add an OPT RR to this packet? */
|
||||||
bool edns0_do, /* set the EDNS0 DNSSEC OK bit? */
|
bool edns0_do, /* set the EDNS0 DNSSEC OK bit? */
|
||||||
bool ad, /* set the DNSSEC authenticated data bit? */
|
bool ad, /* set the DNSSEC authenticated data bit? */
|
||||||
@ -466,7 +467,7 @@ static int dns_stub_finish_reply_packet(
|
|||||||
DNS_PACKET_HEADER(p)->flags = htobe16(DNS_PACKET_MAKE_FLAGS(
|
DNS_PACKET_HEADER(p)->flags = htobe16(DNS_PACKET_MAKE_FLAGS(
|
||||||
1 /* qr */,
|
1 /* qr */,
|
||||||
0 /* opcode */,
|
0 /* opcode */,
|
||||||
0 /* aa */,
|
aa /* aa */,
|
||||||
tc /* tc */,
|
tc /* tc */,
|
||||||
1 /* rd */,
|
1 /* rd */,
|
||||||
1 /* ra */,
|
1 /* ra */,
|
||||||
@ -556,6 +557,7 @@ static int dns_stub_send_reply(
|
|||||||
DNS_PACKET_ID(q->request_packet),
|
DNS_PACKET_ID(q->request_packet),
|
||||||
rcode,
|
rcode,
|
||||||
truncated,
|
truncated,
|
||||||
|
dns_query_fully_synthetic(q),
|
||||||
!!q->request_packet->opt,
|
!!q->request_packet->opt,
|
||||||
edns0_do,
|
edns0_do,
|
||||||
DNS_PACKET_AD(q->request_packet) && dns_query_fully_authenticated(q),
|
DNS_PACKET_AD(q->request_packet) && dns_query_fully_authenticated(q),
|
||||||
@ -596,6 +598,7 @@ static int dns_stub_send_failure(
|
|||||||
DNS_PACKET_ID(p),
|
DNS_PACKET_ID(p),
|
||||||
rcode,
|
rcode,
|
||||||
truncated,
|
truncated,
|
||||||
|
false,
|
||||||
!!p->opt,
|
!!p->opt,
|
||||||
DNS_PACKET_DO(p),
|
DNS_PACKET_DO(p),
|
||||||
DNS_PACKET_AD(p) && authenticated,
|
DNS_PACKET_AD(p) && authenticated,
|
||||||
|
Loading…
Reference in New Issue
Block a user