tree f68fd8a3ae38d97ce2eaf51c0a67107486c6548b
parent 51e4eeeb04b8dd8510ed267d580751525e77cb77
author Simon Kelley <simon@thekelleys.org.uk> 1530279581 +0100
committer Simon Kelley <simon@thekelleys.org.uk> 1530279581 +0100
gpgsig -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABCAAGBQJbNjeFAAoJEBXN2mrhkTWiuqUP/2xMJApfD0ucubY/T5YYXOCG
 OZu5SY1ulBnAy8zx+lSQtgPMzI3x3HaKBh4OWzagvPTdVDVBMVr8BY5wZDOzb+i1
 BziYsLi006xF7G1R+ShYEFWUFN6N6dPSuum8lqKN0Id8/PmSIZd5TwhL4Ep3O6RY
 W8KsacPbuIBups/z3nz6lacLspxZZJM23vTIHOQMPN44fQOQjCPR1MwMFEk0sfDM
 zadhZs/YwxaR9yCtS/duxyg5nvzLBnc3kM4wutP6QGeEQ61yOnQdWa/ACRP+KdLn
 iqu9IgFkpt47eUPWbvGMGaUnGZuEqYguQxw8NSakQSzPtghK1JW2JQ2bFuboueDF
 QfoHfb/LAbzTzuf+RKnxbioiHe7KpIFCAf0jxRBgBJW3c3dTeBM91uFnL5wQxVCY
 uHu4KaQ7tqcISc5FtJGGeBF0N7rG4bVI71lXzc3Rmg5YZyU7TUoQmw2rX+c7+KGA
 I/+iOb1+sbZM2VssNwxRJjpXxGgX8+tjXJxQRkgj5P8POHg5ZjBCU4z5XQS0z8zp
 kHnFsv4De2iUzj21WCadK04VB6B4Zqu8vRFmmOA2QxK1KF2xs+SpsjzgCAtiGQcZ
 OacWuIFKXblGCgvZfYNN7IpEHZLaXNS0TXpYyF0edVdXqecJzLgKrkvWeMa/ygSB
 7aNaT/4OzuQTeZu0EDG/
 =Jxte
 -----END PGP SIGNATURE-----

Fix sometimes missing DNSSEC RRs when DNSSEC validation not enabled.

Dnsmasq does pass on the do-bit, and return DNSSEC RRs, irrespective
of of having DNSSEC validation compiled in or enabled.

The thing to understand here is that the cache does not store all the
DNSSEC RRs, and dnsmasq doesn't have the (very complex) logic required
to determine the set of DNSSEC RRs required in an answer. Therefore if
the client wants the DNSSEC RRs, the query can not be answered from
the cache. When DNSSEC validation is enabled, any query with the
do-bit set is never answered from the cache, unless the domain is
known not to be signed: the query is always forwarded. This ensures
that the DNSEC RRs are included.

The same thing should be true when DNSSEC validation is not enabled,
but there's a bug in the logic.

line 1666 of src/rfc1035.c looks like this

 if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || !do_bit || !(crecp->flags & F_DNSSECOK))

{ ...answer from cache ... }

So local stuff (hosts, DHCP, ) get answered. If the do_bit is not set
then the query is answered, and if the domain is known not to be
signed, the query is answered.

Unfortunately, if DNSSEC validation is not turned on then the
F_DNSSECOK bit is not valid, and it's always zero, so the question
always gets answered from the cache, even when the do-bit is set.

This code should look like that at line 1468, dealing with PTR queries

  if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
      !do_bit ||
      (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)))

where the F_DNSSECOK bit is only used when validation is enabled.