Commit 8c11a03e authored by Colin Watson's avatar Colin Watson

Force use of DNSSEC even if "options edns0" isn't in resolv.conf

This allows SSHFP DNS records to be verified if glibc 2.11 is installed.

Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup
Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
Last-Update: 2010-04-06

Patch-Name: dnssec-sshfp.patch
parent 72fead7f
......@@ -211,6 +211,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
{
u_int counter;
int result;
unsigned int rrset_flags = 0;
struct rrsetinfo *fingerprints = NULL;
u_int8_t hostkey_algorithm;
......@@ -234,8 +235,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
return -1;
}
/*
* Original getrrsetbyname function, found on OpenBSD for example,
* doesn't accept any flag and prerequisite for obtaining AD bit in
* DNS response is set by "options edns0" in resolv.conf.
*
* Our version is more clever and use RRSET_FORCE_EDNS0 flag.
*/
#ifndef HAVE_GETRRSETBYNAME
rrset_flags |= RRSET_FORCE_EDNS0;
#endif
result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
DNS_RDATATYPE_SSHFP, 0, &fingerprints);
DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints);
if (result) {
verbose("DNS lookup error: %s", dns_result_totext(result));
return -1;
......
......@@ -209,8 +209,8 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
goto fail;
}
/* don't allow flags yet, unimplemented */
if (flags) {
/* Allow RRSET_FORCE_EDNS0 flag only. */
if ((flags & !RRSET_FORCE_EDNS0) != 0) {
result = ERRSET_INVAL;
goto fail;
}
......@@ -226,9 +226,9 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
#endif /* DEBUG */
#ifdef RES_USE_DNSSEC
/* turn on DNSSEC if EDNS0 is configured */
if (_resp->options & RES_USE_EDNS0)
_resp->options |= RES_USE_DNSSEC;
/* turn on DNSSEC if required */
if (flags & RRSET_FORCE_EDNS0)
_resp->options |= (RES_USE_EDNS0|RES_USE_DNSSEC);
#endif /* RES_USE_DNSEC */
/* make query */
......
......@@ -72,6 +72,9 @@
#ifndef RRSET_VALIDATED
# define RRSET_VALIDATED 1
#endif
#ifndef RRSET_FORCE_EDNS0
# define RRSET_FORCE_EDNS0 0x0001
#endif
/*
* Return codes for getrrsetbyname()
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment