Gitiles
Code Review Sign In
gerrit.nordix.org / thekelleys / dnsmasq / 5aa5f0ff2f8227ed743feb089dee421f1ca69943^! / .
commit5aa5f0ff2f8227ed743feb089dee421f1ca69943[log] [tgz]
authorSimon Kelley <simon@thekelleys.org.uk>Mon Dec 21 17:20:35 2015 +0000
committerSimon Kelley <simon@thekelleys.org.uk>Mon Dec 21 17:20:35 2015 +0000
tree39d5ae1b03e22ef2c12142e53b9f97f23e76d0a1
parent5bb88f096363e66ac08e31761f850a1d5aa22244 [diff]
Truncate DNS replies >512 bytes that the client isn't expecting.

diff --git a/src/edns0.c b/src/edns0.c
index d1a11e7..e137992 100644
--- a/src/edns0.c
+++ b/src/edns0.c

@@ -339,9 +339,8 @@
 int check_source(struct dns_header *header, size_t plen, unsigned char *pseudoheader, union mysockaddr *peer)
 {
   /* Section 9.2, Check that subnet option in reply matches. */
-
-
- int len, calc_len;
+  
+  int len, calc_len;
   struct subnet_opt opt;
   unsigned char *p;
   int code, i, rdlen;

diff --git a/src/forward.c b/src/forward.c
index 2ca3c86..e1766b9 100644
--- a/src/forward.c
+++ b/src/forward.c

@@ -485,8 +485,8 @@
 		     packet size to 512. But that won't provide space for the RRSIGS in many cases.
 		     The RRSIGS will be stripped out before the answer goes back, so the packet should
 		     shrink again. So, if we added a do-bit, bump the udp packet size to the value
-		     known to be OK for this server. Maybe check returned size after stripping and set
-		     the truncated bit? */		  
+		     known to be OK for this server. We check returned size after stripping and set
+		     the truncated bit if it's still too big. */		  
 		  unsigned char *pheader;
 		  int is_sign;
 		  if (find_pseudoheader(header, plen, NULL, &pheader, &is_sign, NULL) && !is_sign)
@@ -1028,6 +1028,19 @@
 	{
 	  header->id = htons(forward->orig_id);
 	  header->hb4 |= HB4_RA; /* recursion if available */
+#ifdef HAVE_DNSSEC
+	  /* We added an EDNSO header for the purpose of getting DNSSEC RRs, and set the value of the UDP payload size
+	     greater than the no-EDNS0-implied 512 to have if space for the RRSIGS. If, having stripped them and the EDNS0
+             header, the answer is still bigger than 512, truncate it and mark it so. The client then retries with TCP. */
+	  if (option_bool(OPT_DNSSEC_VALID) && (forward->flags & FREC_ADDED_PHEADER) && (nn > PACKETSZ))
+	    {
+	      header->ancount = htons(0);
+	      header->nscount = htons(0);
+	      header->arcount = htons(0);
+	      header->hb3 |= HB3_TC;
+	      nn = resize_packet(header, nn, NULL, 0);
+	    }
+#endif
 	  send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn, 
 		    &forward->source, &forward->dest, forward->iface);
 	}