Google Git
Sign in
gfiber / vendor / opensource / dnsmasq / 288df49c96bb736a0cce203c7cbf7a1408dc99d6^! / .
commit288df49c96bb736a0cce203c7cbf7a1408dc99d6[log] [tgz]
authorSimon Kelley <simon@thekelleys.org.uk>Thu Sep 18 21:48:51 2014 +0100
committerSimon Kelley <simon@thekelleys.org.uk>Thu Sep 18 21:55:27 2014 +0100
treeeb05a5ec6da14c6479910fef987cdfc4c3dcde5a
parent10cfc0ddb35d8e7d19bdb86240a49004980b1ff8 [diff]
Fix bug when resulted in NXDOMAIN answers instead of NODATA.

check_for_local_domain() was broken due to new code matching F_*
bits in cache entries for DNSSEC. Because F_DNSKEY | F_DS is
used to match RRSIG entries, cache_find_by_name() insists on an exact match
of those bits. So adding F_DS to the bits that check_for_local_domain()
sends to cache_find_by_name() won't result in DS records as well
as the others, it results in only DS records. Add a new bit, F_NSIGMATCH
which suitably changes the behaviour of cache_find_by_name().

diff --git a/CHANGELOG b/CHANGELOG
index a499107..00f0480 100644
--- a/CHANGELOG
+++ b/CHANGELOG

@@ -31,6 +31,9 @@
 	    --conf-dir=/etc/dnsmasq.d,\*.conf
 	    will load all the files in /etc/dnsmasq.d which end in .conf
  
+            Fix bug when resulted in NXDOMAIN answers instead of NODATA in
+            some circumstances.
+	    
 
 version 2.71
             Subtle change to error handling to help DNSSEC validation 

diff --git a/src/cache.c b/src/cache.c
index 5cec918..2c3a498 100644
--- a/src/cache.c
+++ b/src/cache.c

@@ -636,7 +636,7 @@
 	    {
 	      if ((crecp->flags & F_FORWARD) && 
 #ifdef HAVE_DNSSEC
-		  ((crecp->flags & (F_DNSKEY | F_DS)) == (prot & (F_DNSKEY | F_DS))) &&
+		  (((crecp->flags & (F_DNSKEY | F_DS)) == (prot & (F_DNSKEY | F_DS))) || (prot & F_NSIGMATCH)) &&
 #endif
 		  (crecp->flags & prot) &&
 		  hostname_isequal(cache_get_name(crecp), name))
@@ -696,7 +696,7 @@
   if (ans && 
       (ans->flags & F_FORWARD) &&
 #ifdef HAVE_DNSSEC
-      ((ans->flags & (F_DNSKEY | F_DS)) == (prot & (F_DNSKEY | F_DS))) &&
+      (((ans->flags & (F_DNSKEY | F_DS)) == (prot & (F_DNSKEY | F_DS))) || (prot & F_NSIGMATCH)) &&
 #endif
       (ans->flags & prot) &&     
       hostname_isequal(cache_get_name(ans), name))

diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index a1ac1d1..e74b15a 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h

@@ -440,6 +440,7 @@
 #define F_SECSTAT   (1u<<24)
 #define F_NO_RR     (1u<<25)
 #define F_IPSET     (1u<<26)
+#define F_NSIGMATCH (1u<<27)
 
 /* Values of uid in crecs with F_CONFIG bit set. */
 #define SRC_INTERFACE 0

diff --git a/src/rfc1035.c b/src/rfc1035.c
index 25ac167..8a7d260 100644
--- a/src/rfc1035.c
+++ b/src/rfc1035.c

@@ -1246,7 +1246,12 @@
   struct ptr_record *ptr;
   struct naptr *naptr;
 
-  if ((crecp = cache_find_by_name(NULL, name, now, F_IPV4 | F_IPV6 | F_CNAME | F_DS | F_NO_RR)) &&
+  /* Note: the call to cache_find_by_name is intended to find any record which matches
+     ie A, AAAA, CNAME, DS. Because RRSIG records are marked by setting both F_DS and F_DNSKEY,
+     cache_find_by name ordinarily only returns records with an exact match on those bits (ie
+     for the call below, only DS records). The F_NSIGMATCH bit changes this behaviour */
+
+  if ((crecp = cache_find_by_name(NULL, name, now, F_IPV4 | F_IPV6 | F_CNAME | F_DS | F_NO_RR | F_NSIGMATCH)) &&
       (crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)))
     return 1;