85f98a
From 10642f9fb350e118d88e995b8dfa2badc7be1c30 Mon Sep 17 00:00:00 2001
85f98a
From: Petr Mensik <pemensik@redhat.com>
85f98a
Date: Wed, 11 Dec 2019 13:41:57 +0100
85f98a
Subject: [PATCH] Restore ability to answer non-recursive requests
85f98a
85f98a
Instead, check only local configured entries are answered without
85f98a
rdbit set. All cached replies are still denied, but locally configured
85f98a
names are available with both recursion and without it.
85f98a
---
85f98a
 src/rfc1035.c | 27 ++++++++++++++-------------
85f98a
 1 file changed, 14 insertions(+), 13 deletions(-)
85f98a
85f98a
diff --git a/src/rfc1035.c b/src/rfc1035.c
85f98a
index 6b3bb27..6a7c154 100644
85f98a
--- a/src/rfc1035.c
85f98a
+++ b/src/rfc1035.c
85f98a
@@ -1262,7 +1262,11 @@ static unsigned long crec_ttl(struct crec *crecp, time_t now)
85f98a
   else
85f98a
     return daemon->max_ttl;
85f98a
 }
85f98a
-  
85f98a
+
85f98a
+static int cache_validated(const struct crec *crecp)
85f98a
+{
85f98a
+  return (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK));
85f98a
+}
85f98a
 
85f98a
 /* return zero if we can't answer from cache, or packet size if we can */
85f98a
 size_t answer_request(struct dns_header *header, char *limit, size_t qlen,  
85f98a
@@ -1281,6 +1285,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
85f98a
   int nxdomain = 0, auth = 1, trunc = 0, sec_data = 1;
85f98a
   struct mx_srv_record *rec;
85f98a
   size_t len;
85f98a
+  int rd_bit;
85f98a
   // Make sure we do not underflow here too.
85f98a
   if (qlen > (limit - ((char *)header))) return 0;
85f98a
 
85f98a
@@ -1290,10 +1295,8 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
85f98a
       OPCODE(header) != QUERY )
85f98a
     return 0;
85f98a
 
85f98a
-  /* always servfail queries with RD unset, to avoid cache snooping. */
85f98a
-  if (!(header->hb3 & HB3_RD))
85f98a
-    return setup_reply(header, qlen, NULL, F_SERVFAIL, 0);
85f98a
-  
85f98a
+  rd_bit = (header->hb3 & HB3_RD);
85f98a
+
85f98a
   /* Don't return AD set if checking disabled. */
85f98a
   if (header->hb4 & HB4_CD)
85f98a
     sec_data = 0;
85f98a
@@ -1458,9 +1461,8 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
85f98a
 		  /* Don't use cache when DNSSEC data required, unless we know that
85f98a
 		     the zone is unsigned, which implies that we're doing
85f98a
 		     validation. */
85f98a
-		  if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) || 
85f98a
-		      !do_bit || 
85f98a
-		      (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)))
85f98a
+		  if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
85f98a
+		      (rd_bit && (!do_bit || cache_validated(crecp)) ))
85f98a
 		    {
85f98a
 		      do 
85f98a
 			{ 
85f98a
@@ -1657,8 +1659,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
85f98a
 
85f98a
 		  /* If the client asked for DNSSEC  don't use cached data. */
85f98a
 		  if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
85f98a
-		      !do_bit ||
85f98a
-		      (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)))
85f98a
+		      (rd_bit && (!do_bit || cache_validated(crecp)) ))
85f98a
 		    do
85f98a
 		      { 
85f98a
 			/* don't answer wildcard queries with data not from /etc/hosts
85f98a
@@ -1741,8 +1742,8 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
85f98a
 	  if (qtype == T_CNAME || qtype == T_ANY)
85f98a
 	    {
85f98a
 	      if ((crecp = cache_find_by_name(NULL, name, now, F_CNAME | (dryrun ? F_NO_RR : 0))) &&
85f98a
-		  (qtype == T_CNAME || (crecp->flags & F_CONFIG)) &&
85f98a
-		  ((crecp->flags & F_CONFIG) || !do_bit || (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK))))
85f98a
+		  ((qtype == T_CNAME && rd_bit) || (crecp->flags & F_CONFIG)) &&
85f98a
+		  ((crecp->flags & F_CONFIG) || (!do_bit || cache_validated(crecp))))
85f98a
 		{
85f98a
 		  if (!(crecp->flags & F_DNSSECOK))
85f98a
 		    sec_data = 0;
85f98a
@@ -1780,7 +1781,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
85f98a
 		    }
85f98a
 		  }
85f98a
 	      
85f98a
-	      if (!found && (option_bool(OPT_SELFMX) || option_bool(OPT_LOCALMX)) && 
85f98a
+	      if (!found && (option_bool(OPT_SELFMX) || option_bool(OPT_LOCALMX)) &&
85f98a
 		  cache_find_by_name(NULL, name, now, F_HOSTS | F_DHCP | F_NO_RR))
85f98a
 		{ 
85f98a
 		  ans = 1;
85f98a
-- 
85f98a
2.21.0
85f98a