package/network/services/dnsmasq/patches/0013-Treat-DS-and-DNSKEY-queries-being-forwarded-the-same.patch

   1 From 07e25da5bf26d46aad4f1d2eb19b260789182004 Mon Sep 17 00:00:00 2001
   2 From: Simon Kelley <simon@thekelleys.org.uk>
   3 Date: Sun, 16 Dec 2018 18:21:58 +0000
   4 Subject: [PATCH 13/32] Treat DS and DNSKEY queries being forwarded the same as
   5  those locally originated.
   6
   7 The queries will not be forwarded to a server for a domain, unless
   8 there's a trust anchor provided for that domain. This allows, especially,
   9 suitable proof of non-existance for DS records to come from
  10 the parent domain for domains which are not signed.
  11
  12 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
  13 ---
  14  src/rfc1035.c | 7 +++++++
  15  1 file changed, 7 insertions(+)
  16
  17 --- a/src/rfc1035.c
  18 +++ b/src/rfc1035.c
  19 @@ -916,6 +916,13 @@ unsigned int extract_request(struct dns_
  20        if (qtype == T_ANY)
  21         return  F_IPV4 | F_IPV6;
  22      }
  23 +
  24 +  /* F_DNSSECOK as agument to search_servers() inhibits forwarding
  25 +     to servers for domains without a trust anchor. This make the
  26 +     behaviour for DS and DNSKEY queries we forward the same
  27 +     as for DS and DNSKEY queries we originate. */
  28 +  if (qtype == T_DS || qtype == T_DNSKEY)
  29 +    return F_DNSSECOK;
  30
  31    return F_QUERY;
  32  }