From: Simon Kelley Date: Sun, 12 Jan 2025 16:00:09 +0000 (+0000) Subject: Return EDE OTHER error when DNSSEC validation abandoned. X-Git-Tag: v2.91test7~8 X-Git-Url: https://thekelleys.org.uk/gitweb/?a=commitdiff_plain;h=b58276a73cd3ef671821c0204dec109052f89c97;p=dnsmasq.git Return EDE OTHER error when DNSSEC validation abandoned. This distinguishes the case where we found a message was bogus from cases where the process failed. --- diff --git a/src/config.h b/src/config.h index 5e65df6..0d84752 100644 --- a/src/config.h +++ b/src/config.h @@ -18,7 +18,7 @@ #define MAX_PROCS 20 /* default max no children for TCP requests */ #define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */ #define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */ -#define TCP_TIMEOUT 5 /* timeout waiting to connect to an upstream server - double this for answer */ +#define TCP_TIMEOUT 1 /* timeout waiting to connect to an upstream server - double this for answer */ #define TCP_BACKLOG 32 /* kernel backlog limit for TCP connections */ #define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from /dnsflagday.net/2020 */ #define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */ diff --git a/src/forward.c b/src/forward.c index b458d2e..bb2f48c 100644 --- a/src/forward.c +++ b/src/forward.c @@ -780,7 +780,6 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server header->ancount = htons(0); header->nscount = htons(0); header->arcount = htons(0); - ede = EDE_DNSSEC_BOGUS; } } else if (!(header->hb4 & HB4_CD) && ad_reqd && cache_secure) @@ -1244,20 +1243,25 @@ void return_reply(time_t now, struct frec *forward, struct dns_header *header, s char *result, *domain = "result"; union all_addr a; - a.log.ede = ede = errflags_to_ede(status); + ede = errflags_to_ede(status); if (STAT_ISEQUAL(status, STAT_ABANDONED)) { result = "ABANDONED"; status = STAT_BOGUS; + if (ede == EDE_UNSET) + ede = EDE_OTHER; } else result = (STAT_ISEQUAL(status, STAT_SECURE) ? "SECURE" : (STAT_ISEQUAL(status, STAT_INSECURE) ? "INSECURE" : "BOGUS")); + if (STAT_ISEQUAL(status, STAT_SECURE)) cache_secure = 1; else if (STAT_ISEQUAL(status, STAT_BOGUS)) { + if (ede == EDE_UNSET) + ede = EDE_DNSSEC_BOGUS; no_cache_dnssec = 1; bogusanswer = 1; @@ -1265,6 +1269,7 @@ void return_reply(time_t now, struct frec *forward, struct dns_header *header, s domain = daemon->namebuff; } + a.log.ede = ede; log_query(F_SECSTAT, domain, &a, result, 0); } } @@ -2457,12 +2462,14 @@ unsigned char *tcp_request(int confd, time_t now, char *result, *domain = "result"; union all_addr a; - a.log.ede = ede = errflags_to_ede(status); + ede = errflags_to_ede(status); if (STAT_ISEQUAL(status, STAT_ABANDONED)) { result = "ABANDONED"; status = STAT_BOGUS; + if (ede == EDE_UNSET) + ede = EDE_OTHER; } else result = (STAT_ISEQUAL(status, STAT_SECURE) ? "SECURE" : (STAT_ISEQUAL(status, STAT_INSECURE) ? "INSECURE" : "BOGUS")); @@ -2471,6 +2478,8 @@ unsigned char *tcp_request(int confd, time_t now, cache_secure = 1; else if (STAT_ISEQUAL(status, STAT_BOGUS)) { + if (ede == EDE_UNSET) + ede = EDE_DNSSEC_BOGUS; no_cache_dnssec = 1; bogusanswer = 1; @@ -2478,6 +2487,7 @@ unsigned char *tcp_request(int confd, time_t now, domain = daemon->namebuff; } + a.log.ede = ede; log_query(F_SECSTAT, domain, &a, result, 0); if ((daemon->limit[LIMIT_CRYPTO] - validatecount) > (int)daemon->metrics[METRIC_CRYPTO_HWM])