From 4435b4ec2d40fb2193752fead5fee7bc093a2e10 Mon Sep 17 00:00:00 2001 From: Vsevolod Stakhov Date: Thu, 18 Aug 2016 16:13:24 +0100 Subject: [PATCH] [Fix] Make dnssec configurable option disabled by default for now --- contrib/librdns/dns_private.h | 1 + contrib/librdns/packet.c | 7 ++++++- contrib/librdns/rdns.h | 6 ++++++ contrib/librdns/resolver.c | 8 ++++++++ src/libserver/cfg_file.h | 1 + src/libserver/cfg_rcl.c | 6 ++++++ src/libserver/dns.c | 1 + 7 files changed, 29 insertions(+), 1 deletion(-) diff --git a/contrib/librdns/dns_private.h b/contrib/librdns/dns_private.h index 4e3f7c9a8..a198dc46d 100644 --- a/contrib/librdns/dns_private.h +++ b/contrib/librdns/dns_private.h @@ -125,6 +125,7 @@ struct rdns_resolver { bool async_binded; bool initialized; + bool enable_dnssec; ref_entry_t ref; }; diff --git a/contrib/librdns/packet.c b/contrib/librdns/packet.c index 25f3d8979..e3020d7e8 100644 --- a/contrib/librdns/packet.c +++ b/contrib/librdns/packet.c @@ -268,7 +268,12 @@ rdns_add_edns0 (struct rdns_request *req) *p16++ = 0; /* Z 10000000 00000000 to allow dnssec */ p8 = (uint8_t *)p16; - *p8++ = 0x80; + if (req->resolver->enable_dnssec) { + *p8++ = 0x80; + } + else { + *p8++ = 0x00; + } *p8++ = 0; p16 = (uint16_t *)p8; /* Length */ diff --git a/contrib/librdns/rdns.h b/contrib/librdns/rdns.h index d7615667e..82506d36a 100644 --- a/contrib/librdns/rdns.h +++ b/contrib/librdns/rdns.h @@ -236,6 +236,12 @@ struct rdns_resolver *rdns_resolver_new (void); void rdns_resolver_async_bind (struct rdns_resolver *resolver, struct rdns_async_context *ctx); +/** + * Enable stub dnssec resolver + * @param resolver + */ +void rdns_resolver_set_dnssec (struct rdns_resolver *resolver, bool enabled); + /** * Add new DNS server definition to the resolver * @param resolver resolver object diff --git a/contrib/librdns/resolver.c b/contrib/librdns/resolver.c index 20700ee3b..70e226804 100644 --- a/contrib/librdns/resolver.c +++ b/contrib/librdns/resolver.c @@ -853,3 +853,11 @@ rdns_resolver_async_bind (struct rdns_resolver *resolver, resolver->async_binded = true; } } + +void +rdns_resolver_set_dnssec (struct rdns_resolver *resolver, bool enabled) +{ + if (resolver) { + resolver->enable_dnssec = enabled; + } +} diff --git a/src/libserver/cfg_file.h b/src/libserver/cfg_file.h index 2eb418506..f66361a41 100644 --- a/src/libserver/cfg_file.h +++ b/src/libserver/cfg_file.h @@ -383,6 +383,7 @@ struct rspamd_config { guint32 dns_io_per_server; /**< number of sockets per DNS server */ const ucl_object_t *nameservers; /**< list of nameservers or NULL to parse resolv.conf */ guint32 dns_max_requests; /**< limit of DNS requests per task */ + gboolean enable_dnssec; /**< enable dnssec stub resolver */ guint upstream_max_errors; /**< upstream max errors before shutting off */ gdouble upstream_error_time; /**< rate of upstream errors */ diff --git a/src/libserver/cfg_rcl.c b/src/libserver/cfg_rcl.c index 94c5862d7..3d1c6ecad 100644 --- a/src/libserver/cfg_rcl.c +++ b/src/libserver/cfg_rcl.c @@ -2015,6 +2015,12 @@ rspamd_rcl_config_init (struct rspamd_config *cfg) G_STRUCT_OFFSET (struct rspamd_config, dns_io_per_server), RSPAMD_CL_FLAG_INT_32, "Number of sockets per DNS server"); + rspamd_rcl_add_default_handler (ssub, + "enable_dnssec", + rspamd_rcl_parse_struct_boolean, + G_STRUCT_OFFSET (struct rspamd_config, enable_dnssec), + 0, + "Enable DNSSEC support in Rspamd"); /* New upstreams configuration */ diff --git a/src/libserver/dns.c b/src/libserver/dns.c index eb0e4e9a2..c0fdceebd 100644 --- a/src/libserver/dns.c +++ b/src/libserver/dns.c @@ -244,6 +244,7 @@ dns_resolver_init (rspamd_logger_t *logger, if (cfg != NULL) { rdns_resolver_set_log_level (dns_resolver->r, cfg->log_level); dns_resolver->cfg = cfg; + rdns_resolver_set_dnssec (dns_resolver->r, cfg->enable_dnssec); } rdns_resolver_set_logger (dns_resolver->r, rspamd_rnds_log_bridge, logger); -- 2.39.5