556. [func] The DNSSEC OK bit in the EDNS extended flags

                        is now implemented.  Responses to queries without
                        this bit set will not contain any DNSSEC records.

CHANGES

 
+ 556.	[func]		The DNSSEC OK bit in the EDNS extended flags
+			is now implemented.  Responses to queries without
+			this bit set will not contain any DNSSEC records.
+
  555.	[bug]		A slave server attempting a zone transfer could 
 			crash with an assertion failure on certain
 			malformed responses from the master. [RT #457]

bin/dig/dig.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dig.c,v 1.126 2000/11/08 00:47:15 mws Exp $ */
+/* $Id: dig.c,v 1.127 2000/11/13 21:33:50 bwelling Exp $ */
 
 #include <config.h>
 #include <stdlib.h>
@@ -180,6 +180,7 @@ show_usage(void) {
 "                 +[no]trace          (Trace delegation down from root)\n"
 "                 +rrlimit=###        (Limit number of rr's in xfr)\n"
 "                 +namelimit=###      (Limit number of names in xfr)\n"
+"                 +[no]dnssec         (Request DNSSEC records)\n"
 "        global d-opts and servers (before host name) affect all queries.\n"
 "        local d-opts and servers (after host name) affect only that lookup.\n"
 , stderr);
@@ -679,9 +680,12 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 		break;
 	case 'd':
 		switch (cmd[1]) {
-		case 'e':
+		case 'e': /* defname */
 			lookup->defname = state;
 			break;
+		case 'n': /* dnssec */	
+			lookup->dnssec = state;
+			break;
 		case 'o': /* domain */	
 			if (value == NULL)
 				goto need_value;

bin/dig/dighost.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dighost.c,v 1.161 2000/11/08 01:23:27 gson Exp $ */
+/* $Id: dighost.c,v 1.162 2000/11/13 21:33:51 bwelling Exp $ */
 
 /*
  * Notice to programmers:  Do not use this code as an example of how to
@@ -356,6 +356,7 @@ make_empty_lookup(void) {
 	looknew->ignore = ISC_FALSE;
 	looknew->servfail_stops = ISC_FALSE;
 	looknew->besteffort = ISC_TRUE;
+	looknew->dnssec = ISC_FALSE;
 	looknew->udpsize = 0;
 	looknew->recurse = ISC_TRUE;
 	looknew->aaonly = ISC_FALSE;
@@ -415,6 +416,7 @@ clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) {
 	looknew->ignore = lookold->ignore;
 	looknew->servfail_stops = lookold->servfail_stops;
 	looknew->besteffort = lookold->besteffort;
+	looknew->dnssec = lookold->dnssec;
 	looknew->udpsize = lookold->udpsize;
 	looknew->recurse = lookold->recurse;
         looknew->aaonly = lookold->aaonly;
@@ -757,7 +759,9 @@ setup_libs(void) {
  * option is UDP buffer size.
  */
 static void
-add_opt(dns_message_t *msg, isc_uint16_t udpsize, dns_optlist_t optlist) {
+add_opt(dns_message_t *msg, isc_uint16_t udpsize, isc_boolean_t dnssec,
+	dns_optlist_t optlist)
+{
 	dns_rdataset_t *rdataset = NULL;
 	dns_rdatalist_t *rdatalist = NULL;
 	dns_rdata_t *rdata = NULL;
@@ -784,6 +788,8 @@ add_opt(dns_message_t *msg, isc_uint16_t udpsize, dns_optlist_t optlist) {
 	rdatalist->covers = 0;
 	rdatalist->rdclass = udpsize;
 	rdatalist->ttl = 0;
+	if (dnssec)
+		rdatalist->ttl = DNS_MESSAGEEXTFLAG_DO;
 	rdata->data = NULL;
 	rdata->length = 0;
 #ifdef DNS_OPT_NEWCODES_LIVE
@@ -1422,10 +1428,10 @@ setup_lookup(dig_lookup_t *lookup) {
 	result = dns_message_renderbegin(lookup->sendmsg, &lookup->sendbuf);
 	check_result(result, "dns_message_renderbegin");
 #ifndef DNS_OPT_NEWCODES_LIVE
-	if (lookup->udpsize > 0) {
+	if (lookup->udpsize > 0 || lookup->dnssec) {
 #else /* DNS_OPT_NEWCODES_LIVE */
-	if (lookup->udpsize > 0 || lookup->zonename[0] !=0 ||
-	    lookup->viewname[0] != 0) {
+	if (lookup->udpsize > 0 ||  || lookup->dnssec ||
+	    lookup->zonename[0] !=0 || lookup->viewname[0] != 0) {
 		dns_fixedname_t fname;
 		isc_buffer_t namebuf, *wirebuf = NULL;
 		dns_compress_t cctx;
@@ -1475,7 +1481,8 @@ setup_lookup(dig_lookup_t *lookup) {
 			optlist.used++;
 		}
 #endif /* DNS_OPT_NEWCODES_LIVE */
-		add_opt(lookup->sendmsg, lookup->udpsize, optlist);
+		add_opt(lookup->sendmsg, lookup->udpsize, lookup->dnssec,
+			optlist);
 #ifdef DNS_OPT_NEWCODES_LIVE
 		if (wirebuf != NULL)
 			isc_buffer_free(&wirebuf);

bin/dig/include/dig/dig.h

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dig.h,v 1.56 2000/11/08 00:47:18 mws Exp $ */
+/* $Id: dig.h,v 1.57 2000/11/13 21:33:53 bwelling Exp $ */
 
 #ifndef DIG_H
 #define DIG_H
@@ -96,7 +96,8 @@ struct dig_lookup {
 		section_additional,
 		servfail_stops,
 		new_search,
-		besteffort;
+		besteffort,
+		dnssec;
 	char textname[MXNAME]; /* Name we're going to be looking up */
 	char cmdline[MXNAME];
 	dns_rdatatype_t rdtype;

bin/named/client.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.c,v 1.126 2000/11/03 17:39:37 gson Exp $ */
+/* $Id: client.c,v 1.127 2000/11/13 21:33:54 bwelling Exp $ */
 
 #include <config.h>
 
@@ -538,6 +538,7 @@ ns_client_endrequest(ns_client_t *client) {
 	}
 
 	client->udpsize = 512;
+	client->extflags = 0;
 	dns_message_reset(client->message, DNS_MESSAGE_INTENTPARSE);
 
 	if (client->recursionquota != NULL)
@@ -1233,6 +1234,11 @@ client_request(isc_task_t *task, isc_event_t *event) {
 		 * Set the client's UDP buffer size.
 		 */
 		client->udpsize = opt->rdclass;
+
+		/*
+		 * Get the flags out of the OPT record.
+		 */
+		client->extflags = DNS_OPT_FLAGS(opt);
 						     
 #ifdef DNS_OPT_NEWCODES
 		/*
@@ -1533,6 +1539,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp)
 	client->tcpbuf = NULL;
 	client->opt = NULL;
 	client->udpsize = 512;
+	client->extflags = 0;
 #ifdef DNS_OPT_NEWCODES
 	client->opt_zone = NULL;
 	client->opt_view = NULL;

bin/named/include/named/client.h

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.h,v 1.45 2000/10/12 21:51:48 mws Exp $ */
+/* $Id: client.h,v 1.46 2000/11/13 21:33:57 bwelling Exp $ */
 
 #ifndef NAMED_CLIENT_H
 #define NAMED_CLIENT_H 1
@@ -109,6 +109,7 @@ struct ns_client {
 	unsigned char *		sendbuf;
 	dns_rdataset_t *	opt;
 	isc_uint16_t		udpsize;
+	isc_uint16_t		extflags;
 #ifdef DNS_OPT_NEWCODES
 	dns_fixedname_t *       opt_zone;
         isc_buffer_t *          opt_view;

bin/named/include/named/query.h

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.h,v 1.22 2000/09/06 20:35:22 gson Exp $ */
+/* $Id: query.h,v 1.23 2000/11/13 21:33:58 bwelling Exp $ */
 
 #ifndef NAMED_QUERY_H
 #define NAMED_QUERY_H 1
@@ -61,6 +61,7 @@ struct ns_query {
 #define NS_QUERYATTR_QUERYOKVALID	0x0040
 #define NS_QUERYATTR_QUERYOK		0x0080
 #define NS_QUERYATTR_WANTRECURSION	0x0100
+#define NS_QUERYATTR_WANTDNSSEC		0x0200
 
 isc_result_t
 ns_query_init(ns_client_t *client);

lib/dns/include/dns/message.h

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: message.h,v 1.82 2000/11/13 20:12:03 bwelling Exp $ */
+/* $Id: message.h,v 1.83 2000/11/13 21:34:01 bwelling Exp $ */
 
 #ifndef DNS_MESSAGE_H
 #define DNS_MESSAGE_H 1
@@ -95,6 +95,8 @@
 #define DNS_MESSAGEFLAG_AD		0x0020U
 #define DNS_MESSAGEFLAG_CD		0x0010U
 
+#define DNS_MESSAGEEXTFLAG_DO		0x8000U
+
 #define DNS_MESSAGE_REPLYPRESERVE	(DNS_MESSAGEFLAG_RD)
 
 #define DNS_MESSAGE_HEADERLEN		12 /* 6 isc_uint16_t's */

lib/dns/include/dns/opt.h

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: opt.h,v 1.2 2000/10/12 21:51:57 mws Exp $ */
+/* $Id: opt.h,v 1.3 2000/11/13 21:34:03 bwelling Exp $ */
 
 #ifndef DNS_OPT_H
 #define DNS_OPT_H 1
@@ -49,6 +49,8 @@
 #define DNS_OPTCODE_VIEW 0xfff1
 #endif /* DNS_OPT_NEWCODES */
 
+#define DNS_OPT_FLAGS(opt) ((opt)->ttl & 0xFFFF)
+
 /*
  * OPT records contain a series of attributes which contain different types.
  * These structures are used for holding the individual attribute

lib/dns/opt.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: opt.c,v 1.4 2000/10/25 04:26:42 marka Exp $ */
+/* $Id: opt.c,v 1.5 2000/11/13 21:33:59 bwelling Exp $ */
 
 #include <config.h>
 
@@ -231,9 +231,13 @@ dns_opt_totext(dns_rdataset_t *opt, isc_buffer_t *target,
 				0x00ff0000 >> 16)));
 	ADD_STRING(target, buf, fail);
 	ADD_STRING(target, ", udp=", fail);
-	sprintf(buf, "%7u\n",
+	sprintf(buf, "%7u",
 		(unsigned int)opt->rdclass);
 	ADD_STRING(target, buf, fail);
+	ADD_STRING(target, ", flags:", fail);
+	if ((DNS_OPT_FLAGS(opt) & DNS_MESSAGEEXTFLAG_DO) != 0)
+		ADD_STRING(target, " do", fail);
+	ADD_STRING(target, "\n", fail);
 
 	list.attrs = &attr;
 	list.size = 1;

lib/dns/resolver.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.c,v 1.180 2000/11/11 02:14:50 gson Exp $ */
+/* $Id: resolver.c,v 1.181 2000/11/13 21:34:00 bwelling Exp $ */
 
 #include <config.h>
 
@@ -607,12 +607,12 @@ fctx_addopt(dns_message_t *message) {
 	rdatalist->rdclass = SEND_BUFFER_SIZE;
 
 	/*
-	 * Set EXTENDED-RCODE, VERSION, and Z to 0.
+	 * Set EXTENDED-RCODE, VERSION, and Z to 0, and the DO bit to 1.
 	 */
-	rdatalist->ttl = 0;
+	rdatalist->ttl = DNS_MESSAGEEXTFLAG_DO;
 
 	/*
-	 * No ENDS options.
+	 * No EDNS options.
 	 */
 	rdata->data = NULL;
 	rdata->length = 0;
@@ -936,11 +936,12 @@ resquery_send(resquery_t *query) {
 	}
 
 	/*
-	 * If we're using EDNS, set AD and CD so we'll get DNSSEC data.
+	 * If we're using EDNS, set CD.  CD and EDNS aren't really related,
+	 * but if we send a non EDNS query, there's a chance the server
+	 * won't understand CD either.
 	 */
 	if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0)
-		fctx->qmessage->flags |=
-			(DNS_MESSAGEFLAG_AD|DNS_MESSAGEFLAG_CD);
+		fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD;
 
 	/*
 	 * Add TSIG record tailored to the current recipient.