From 022ab25237b3da32705eb88d74f01590ca121625 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:01 +0000 Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf This allows SSHFP DNS records to be verified if glibc 2.11 is installed. Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049 Last-Update: 2023-06-19 Patch-Name: dnssec-sshfp.patch --- dns.c | 14 +++++++++++++- openbsd-compat/getrrsetbyname.c | 10 +++++----- openbsd-compat/getrrsetbyname.h | 3 +++ 3 files changed, 21 insertions(+), 6 deletions(-) diff --git a/dns.c b/dns.c index 939241440..bf47a079f 100644 --- a/dns.c +++ b/dns.c @@ -198,6 +198,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, { u_int counter; int result; + unsigned int rrset_flags = 0; struct rrsetinfo *fingerprints = NULL; u_int8_t hostkey_algorithm; @@ -220,8 +221,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, return -1; } + /* + * Original getrrsetbyname function, found on OpenBSD for example, + * doesn't accept any flag and prerequisite for obtaining AD bit in + * DNS response is set by "options edns0" in resolv.conf. + * + * Our version is more clever and use RRSET_FORCE_EDNS0 flag. + */ +#ifndef HAVE_GETRRSETBYNAME + rrset_flags |= RRSET_FORCE_EDNS0; +#endif result = getrrsetbyname(hostname, DNS_RDATACLASS_IN, - DNS_RDATATYPE_SSHFP, 0, &fingerprints); + DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints); + if (result) { verbose("DNS lookup error: %s", dns_result_totext(result)); return -1; diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c index ad35148c9..add519441 100644 --- a/openbsd-compat/getrrsetbyname.c +++ b/openbsd-compat/getrrsetbyname.c @@ -214,8 +214,8 @@ getrrsetbyname(const char *hostname, unsigned int rdclass, goto fail; } - /* don't allow flags yet, unimplemented */ - if (flags) { + /* Allow RRSET_FORCE_EDNS0 flag only. */ + if ((flags & ~RRSET_FORCE_EDNS0) != 0) { result = ERRSET_INVAL; goto fail; } @@ -231,9 +231,9 @@ getrrsetbyname(const char *hostname, unsigned int rdclass, #endif /* DEBUG */ #ifdef RES_USE_DNSSEC - /* turn on DNSSEC if EDNS0 is configured */ - if (_resp->options & RES_USE_EDNS0) - _resp->options |= RES_USE_DNSSEC; + /* turn on DNSSEC if required */ + if (flags & RRSET_FORCE_EDNS0) + _resp->options |= (RES_USE_EDNS0|RES_USE_DNSSEC); #endif /* RES_USE_DNSEC */ /* make query */ diff --git a/openbsd-compat/getrrsetbyname.h b/openbsd-compat/getrrsetbyname.h index 1283f5506..dbbc85a2a 100644 --- a/openbsd-compat/getrrsetbyname.h +++ b/openbsd-compat/getrrsetbyname.h @@ -72,6 +72,9 @@ #ifndef RRSET_VALIDATED # define RRSET_VALIDATED 1 #endif +#ifndef RRSET_FORCE_EDNS0 +# define RRSET_FORCE_EDNS0 0x0001 +#endif /* * Return codes for getrrsetbyname()