projects / dnsmasq.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f162d34)
Return EDE OTHER error when DNSSEC validation abandoned.
authorSimon Kelley <simon@thekelleys.org.uk>
Sun, 12 Jan 2025 16:00:09 +0000 (16:00 +0000)
committerSimon Kelley <simon@thekelleys.org.uk>
Sun, 12 Jan 2025 16:00:09 +0000 (16:00 +0000)
This distinguishes the case where we found a message was bogus
from cases where the process failed.

src/config.h patch | blob | history
src/forward.c patch | blob | history

diff --git a/src/config.h b/src/config.h
index 5e65df6..0d84752 100644 (file)
--- a/src/config.h
+++ b/src/config.h
@@ -18,7 +18,7 @@
 #define MAX_PROCS 20 /* default max no children for TCP requests */
 #define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */
 #define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */
-#define TCP_TIMEOUT 5 /* timeout waiting to connect to an upstream server - double this for answer */
+#define TCP_TIMEOUT 1 /* timeout waiting to connect to an upstream server - double this for answer */
 #define TCP_BACKLOG 32  /* kernel backlog limit for TCP connections */
 #define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from  /dnsflagday.net/2020 */
 #define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */
diff --git a/src/forward.c b/src/forward.c
index b458d2e..bb2f48c 100644 (file)
--- a/src/forward.c
+++ b/src/forward.c
@@ -780,7 +780,6 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
              header->ancount = htons(0);
              header->nscount = htons(0);
              header->arcount = htons(0);
-             ede = EDE_DNSSEC_BOGUS;
            }
        }
       else if (!(header->hb4 & HB4_CD) && ad_reqd && cache_secure)
@@ -1244,20 +1243,25 @@ void return_reply(time_t now, struct frec *forward, struct dns_header *header, s
          char *result, *domain = "result";
          union all_addr a;
 
-         a.log.ede = ede = errflags_to_ede(status);
+         ede = errflags_to_ede(status);
          
          if (STAT_ISEQUAL(status, STAT_ABANDONED))
            {
              result = "ABANDONED";
              status = STAT_BOGUS;
+             if (ede == EDE_UNSET)
+               ede = EDE_OTHER;
            }
          else
            result = (STAT_ISEQUAL(status, STAT_SECURE) ? "SECURE" : (STAT_ISEQUAL(status, STAT_INSECURE) ? "INSECURE" : "BOGUS"));
+
          
          if (STAT_ISEQUAL(status, STAT_SECURE))
            cache_secure = 1;
          else if (STAT_ISEQUAL(status, STAT_BOGUS))
            {
+             if (ede == EDE_UNSET)
+               ede = EDE_DNSSEC_BOGUS;
              no_cache_dnssec = 1;
              bogusanswer = 1;
              
@@ -1265,6 +1269,7 @@ void return_reply(time_t now, struct frec *forward, struct dns_header *header, s
                domain = daemon->namebuff;
            }
       
+         a.log.ede = ede;
          log_query(F_SECSTAT, domain, &a, result, 0);
        }
     }
@@ -2457,12 +2462,14 @@ unsigned char *tcp_request(int confd, time_t now,
                              char *result, *domain = "result";
                              
                              union all_addr a;
-                             a.log.ede = ede = errflags_to_ede(status);
+                             ede = errflags_to_ede(status);
                              
                              if (STAT_ISEQUAL(status, STAT_ABANDONED))
                                {
                                  result = "ABANDONED";
                                  status = STAT_BOGUS;
+                                 if (ede == EDE_UNSET)
+                                   ede = EDE_OTHER;
                                }
                              else
                                result = (STAT_ISEQUAL(status, STAT_SECURE) ? "SECURE" : (STAT_ISEQUAL(status, STAT_INSECURE) ? "INSECURE" : "BOGUS"));
@@ -2471,6 +2478,8 @@ unsigned char *tcp_request(int confd, time_t now,
                                cache_secure = 1;
                              else if (STAT_ISEQUAL(status, STAT_BOGUS))
                                {
+                                 if (ede == EDE_UNSET)
+                                   ede = EDE_DNSSEC_BOGUS;
                                  no_cache_dnssec = 1;
                                  bogusanswer = 1;
                                  
@@ -2478,6 +2487,7 @@ unsigned char *tcp_request(int confd, time_t now,
                                    domain = daemon->namebuff;
                                }
                              
+                             a.log.ede = ede;
                              log_query(F_SECSTAT, domain, &a, result, 0);
                              
                              if ((daemon->limit[LIMIT_CRYPTO] - validatecount) > (int)daemon->metrics[METRIC_CRYPTO_HWM])
Dnsmasq DNS proxy and DHCP server.