From 221dff13865453585b049f509c92b4b198258911 Mon Sep 17 00:00:00 2001 From: "Heiko Schlittermann (HS12)" Date: Wed, 13 May 2015 23:50:23 +0200 Subject: Add DNS debug aid if we requsted AD but got AA If the resolver we ask is authoritive (AA) for some domain, we never ever get the AD (authentic data) bit in the answer. --- src/src/dns.c | 11 +++++++++++ src/src/host.c | 23 +++++++++++++++++++++-- 2 files changed, 32 insertions(+), 2 deletions(-) diff --git a/src/src/dns.c b/src/src/dns.c index 79c4ed3fc..6358eada6 100644 --- a/src/src/dns.c +++ b/src/src/dns.c @@ -462,6 +462,17 @@ HEADER * h = (HEADER *)dnsa->answer; h->ad = 0; } +/************************************************ + * Check whether the AA bit is set * + * We need this to warn if we requested AD * + * from a authoritive server * + ************************************************/ + +BOOL +dns_is_aa(const dns_answer *dnsa) +{ +return ((HEADER*)dnsa->answer)->aa; +} diff --git a/src/src/host.c b/src/src/host.c index 5629d7db2..19b5805b9 100644 --- a/src/src/host.c +++ b/src/src/host.c @@ -2228,7 +2228,8 @@ Arguments: fully_qualified_name if not NULL, return fully qualified name here if the contents are different (i.e. it must be preset to something) - dnnssec_require if TRUE check the DNS result AD bit + dnssec_request if TRUE request the AD bit + dnssec_require if TRUE require the AD bit Returns: HOST_FIND_FAILED couldn't find A record HOST_FIND_AGAIN try again later @@ -2300,6 +2301,12 @@ for (; i >= 0; i--) lookup_dnssec_authenticated = !dnssec_request ? NULL : dns_is_secure(&dnsa) ? US"yes" : US"no"; + DEBUG(D_dns) + if ((dnssec_request || dnssec_require) + & !dns_is_secure(&dnsa) + & dns_is_aa(&dnsa)) + debug_printf("DNS lookup of %.256s (A/AAA/A6) asked for AD, but got AA\n", host->name); + /* We want to return HOST_FIND_AGAIN if one of the A, A6, or AAAA lookups fails or times out, but not if another one succeeds. (In the early IPv6 days there are name servers that always fail on AAAA, but are happy @@ -2544,7 +2551,7 @@ dns_init((whichrrs & HOST_FIND_QUALIFY_SINGLE) != 0, host_find_failed_syntax = FALSE; /* First, if requested, look for SRV records. The service name is given; we -assume TCP progocol. DNS domain names are constrained to a maximum of 256 +assume TCP protocol. DNS domain names are constrained to a maximum of 256 characters, so the code below should be safe. */ if ((whichrrs & HOST_FIND_BY_SRV) != 0) @@ -2565,6 +2572,12 @@ if ((whichrrs & HOST_FIND_BY_SRV) != 0) lookup_dnssec_authenticated = NULL; rc = dns_lookup_timerwrap(&dnsa, buffer, ind_type, CUSS &temp_fully_qualified_name); + DEBUG(D_dns) + if ((dnssec_request || dnssec_require) + & !dns_is_secure(&dnsa) + & dns_is_aa(&dnsa)) + debug_printf("DNS lookup of %.256s (SRV) requested AD, but got AA\n", host->name); + if (dnssec_request) { if (dns_is_secure(&dnsa)) @@ -2611,6 +2624,12 @@ if (rc != DNS_SUCCEED && (whichrrs & HOST_FIND_BY_MX) != 0) lookup_dnssec_authenticated = NULL; rc = dns_lookup_timerwrap(&dnsa, host->name, ind_type, fully_qualified_name); + DEBUG(D_dns) + if ((dnssec_request || dnssec_require) + & !dns_is_secure(&dnsa) + & dns_is_aa(&dnsa)) + debug_printf("DNS lookup of %.256s (MX) asked for AD, but got AA\n", host->name); + if (dnssec_request) { if (dns_is_secure(&dnsa)) -- cgit v1.2.3