diff options
| author | Ronan Pigott <ronan@rjp.ie> | 2024-10-19 06:10:57 +0200 |
|---|---|---|
| committer | Ronan Pigott <ronan@rjp.ie> | 2024-10-19 06:21:35 +0200 |
| commit | 36074e01499ea4fc89a0c642cef83bd650014e5a (patch) | |
| tree | c0ca261b2f3a22a15f735b03e2ac1bc45c9be152 | |
| parent | resolved: authenticate bypass queries (diff) | |
| download | systemd-36074e01499ea4fc89a0c642cef83bd650014e5a.tar.xz systemd-36074e01499ea4fc89a0c642cef83bd650014e5a.zip | |
resolved: enable CD bit without DO set
This is useful for a validating resolver to indicate to a non-validating
resolver when checking was disabled for the query. This matches the
behavior of the major public resovlers in response to queries with CD bu
tnot DO set.
| -rw-r--r-- | src/resolve/resolved-dns-stub.c | 7 |
1 files changed, 2 insertions, 5 deletions
diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c index ee1e31010c..bd0822e6dc 100644 --- a/src/resolve/resolved-dns-stub.c +++ b/src/resolve/resolved-dns-stub.c @@ -462,10 +462,6 @@ static int dns_stub_finish_reply_packet( rcode = DNS_RCODE_SERVFAIL; } - /* Don't set the CD bit unless DO is on, too */ - if (!edns0_do) - cd = false; - /* Note that we allow the AD bit to be set even if client didn't signal DO, as per RFC 6840, section * 5.7 */ @@ -631,7 +627,7 @@ static int dns_stub_send_reply( !!q->request_packet->opt, edns0_do, (DNS_PACKET_AD(q->request_packet) || DNS_PACKET_DO(q->request_packet)) && dns_query_fully_authenticated(q), - DNS_PACKET_CD(q->request_packet), + FLAGS_SET(q->flags, SD_RESOLVED_NO_VALIDATE), q->stub_listener_extra ? ADVERTISE_EXTRA_DATAGRAM_SIZE_MAX : ADVERTISE_DATAGRAM_SIZE_MAX, dns_packet_has_nsid_request(q->request_packet) > 0 && !q->stub_listener_extra); if (r < 0) @@ -997,6 +993,7 @@ static void dns_stub_process_query(Manager *m, DnsStubListenerExtra *l, DnsStrea r = dns_query_new(m, &q, p->question, p->question, NULL, 0, protocol_flags| SD_RESOLVED_NO_SEARCH| + (DNS_PACKET_CD(p) ? SD_RESOLVED_NO_VALIDATE | SD_RESOLVED_NO_CACHE : 0)| (DNS_PACKET_DO(p) ? SD_RESOLVED_REQUIRE_PRIMARY : 0)| SD_RESOLVED_CLAMP_TTL); if (r < 0) { |