Use DS records as trust anchors, not DNSKEYs.

This allows us to query for the root zone DNSKEY RRset and validate
it, thus automatically handling KSK rollover.

CHANGELOG

@@ -17,7 +17,52 @@ version 2.69
 	    dnsmasq, [fe80::] with the link-local address. 
 	    Thanks to Tsachi Kimeldorfer for championing this.
 
+	    DNSSEC validation and caching. Dnsmasq needs to be
+	    compiled with this enabled, with 
+	    
+	    make dnsmasq COPTS=-DHAVE_DNSSEC
+	    
+	    this add dependencies on the nettle crypto library and the 
+	    gmp maths library. It's possible to have these linked
+	    statically with
+	    
+	    make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC'
+	    
+	    which bloats the dnsmasq binary to over a megabyte, but
+	    saves the size of the shared libraries which are five
+	    times that size.
+	    To enable, DNSSEC, you will need a set of
+	    trust-anchors. Now that the TLDs are signed, this can be
+	    the keys for the root zone, and for convenience they are
+	    included in trust-anchors.conf in the dnsmasq
+	    distribution. You should of course check that these are
+	    legitimate and up-to-date. So, adding
+	    
+	    conf-file=/path/to/trust-anchors.conf
+	    dnssec
 
+	    to your config is all thats needed to get things
+	    working. The upstream nameservers have to be DNSSEC-capable
+	    too, of course. Many ISP nameservers aren't, but the
+	    Google public nameservers (8.8.8.8 and 8.8.4.4) are.
+	    When DNSSEC is configured, dnsmasq validates any queries 
+	    for domains which are signed. Query results which are 
+	    bogus are replaced with SERVFAIL replies, and results 
+	    which are correctly signed have the AD bit set. In 
+	    addition, and just as importantly, dnsmasq supplies 
+	    correct DNSSEC information to clients which are doing 
+	    their own validation, and caches DNSKEY, DS and RRSIG
+	    records, which significantly improve the performance of 
+	    downstream validators. Setting --log-queries will show 
+	    DNSSEC in action.
+
+	    The development of DNSSEC in dnsmasq was started by 
+	    Giovanni Bajo, to whom huge thanks are owed. It has been
+	    supported by Comcast, whose techfund grant has allowed for 
+	    an invaluable period of full-time work to get it to 
+	    a workable state.
+ 
+	    
 version 2.68
             Use random addresses for DHCPv6 temporary address
             allocations, instead of algorithmically determined stable

Makefile

@@ -61,6 +61,7 @@ lua_cflags =    `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CON
 lua_libs =      `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --libs lua5.1` 
 nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --cflags nettle hogweed`
 nettle_libs =   `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --libs nettle hogweed`
+gmp_libs =      `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --copy -lgmp`
 sunos_libs =    `if uname | grep SunOS >/dev/null 2>&1; then echo -lsocket -lnsl -lposix4; fi`
 version =     -DVERSION='\"`$(top)/bld/get-version $(top)`\"'
 
@@ -77,7 +78,7 @@ all : $(BUILDDIR)
 	@cd $(BUILDDIR) && $(MAKE) \
  top="$(top)" \
  build_cflags="$(version) $(dbus_cflags) $(idn_cflags) $(ct_cflags) $(lua_cflags) $(nettle_cflags)" \
- build_libs="$(dbus_libs) $(idn_libs) $(ct_libs) $(lua_libs) $(sunos_libs) $(nettle_libs)" \
+ build_libs="$(dbus_libs) $(idn_libs) $(ct_libs) $(lua_libs) $(sunos_libs) $(nettle_libs) $(gmp_libs)" \
  -f $(top)/Makefile dnsmasq 
 
 mostly_clean :
@@ -101,7 +102,7 @@ all-i18n : $(BUILDDIR)
  top="$(top)" \
  i18n=-DLOCALEDIR=\'\"$(LOCALEDIR)\"\' \
  build_cflags="$(version) $(dbus_cflags) $(ct_cflags) $(lua_cflags) $(nettle_cflags) `$(PKG_CONFIG) --cflags libidn`" \
- build_libs="$(dbus_libs) $(ct_libs) $(lua_libs) $(sunos_libs) $(nettle_libs) `$(PKG_CONFIG) --libs libidn`"  \
+ build_libs="$(dbus_libs) $(ct_libs) $(lua_libs) $(sunos_libs) $(nettle_libs) $(gmp_libs) `$(PKG_CONFIG) --libs libidn`"  \
  -f $(top)/Makefile dnsmasq
 	for f in `cd $(PO); echo *.po`; do \
 		cd $(top) && cd $(BUILDDIR) && $(MAKE) top="$(top)" -f $(top)/Makefile $${f%.po}.mo; \

bld/pkg-wrapper

@@ -9,19 +9,24 @@ shift
 
 in=`cat`
 
-if grep "^\#[[:space:]]*define[[:space:]]*${search}_STATIC" config.h >/dev/null 2>&1 || \
-   echo $in | grep ${search}_STATIC >/dev/null 2>&1; then
-   if [ $op = "--libs" ]; then
-     pkg=`$pkg --static $op $*`
-     echo "-Wl,-Bstatic $pkg -Wl,-Bdynamic"
-     exit 0
-   fi
-fi
-
 if grep "^\#[[:space:]]*define[[:space:]]*$search" config.h >/dev/null 2>&1 || \
     echo $in | grep $search >/dev/null 2>&1; then
-    pkg=`$pkg $op $*`
-    echo "$pkg"
-    
+
+    if [ $op = "--copy" ]; then
+	pkg="$*"
+    else
+	pkg=`$pkg $op $*` 
+    fi
+
+    if grep "^\#[[:space:]]*define[[:space:]]*${search}_STATIC" config.h >/dev/null 2>&1 || \
+	echo $in | grep ${search}_STATIC >/dev/null 2>&1; then
+	if [ $op = "--libs" ] || [ $op = "--copy" ]; then
+	    echo "-Wl,-Bstatic $pkg -Wl,-Bdynamic"
+	else
+	    echo "$pkg" 
+	fi
+    else
+	echo "$pkg"
+    fi
 fi
 

contrib/try-all-ns/dnsmasq-2.68-try-all-ns

@@ -0,0 +1,29 @@
+From: Jesse Glick <jglick@cloudbees.com>
+To: dnsmasq-discuss@lists.thekelleys.org.uk
+Subject: Re: [Dnsmasq-discuss] Ability to delegate to one server but fall
+ back to another after NXDOMAIN?
+
+
+On Wed, Jan 15, 2014 at 12:30 PM, Simon Kelley <simon@thekelleys.org.uk> wrote:
+> > There's a (very old) patch in contrib/try-all-ns that would make a starting point
+This does not apply against trunk, so I tried to rework it. The
+following appears to do what I expect:
+
+diff --git a/src/forward.c b/src/forward.c
+index 8167229..76070b5 100644
+--- a/src/forward.c
++++ b/src/forward.c
+@@ -610,7 +610,11 @@ void reply_query(int fd, int family, time_t now)
+
+   if ((RCODE(header) == SERVFAIL || RCODE(header) == REFUSED) &&
+       !option_bool(OPT_ORDER) &&
+-      forward->forwardall == 0)
++      forward->forwardall == 0 ||
++      /* try each in turn */
++      RCODE(header) == NXDOMAIN &&
++      option_bool(OPT_ORDER) &&
++      server->next != NULL)
+     /* for broken servers, attempt to send to another one. */
+     {
+       unsigned char *pheader;
+

debian/changelog

@@ -1,7 +1,13 @@
+dnsmasq (2.69-1) unstable; urgency=low
+
+   * New upstream.
+
+ -- Simon Kelley <simon@thekelleys.org.uk>  Tue, 4 Feb 2014 16:28:12 +0000
+
 dnsmasq (2.68-1) unstable; urgency=low
 
    * New upstream. (closes: #730553)
-   
+
  -- Simon Kelley <simon@thekelleys.org.uk>  Sun, 8 Dec 2013 15:57:32 +0000
 
 dnsmasq (2.67-1) unstable; urgency=low

debian/control

@@ -1,7 +1,8 @@
 Source: dnsmasq
 Section: net
 Priority: optional
-Build-depends: gettext, libnetfilter-conntrack-dev [linux-any], libidn11-dev, libdbus-1-dev (>=0.61)
+Build-depends: gettext, libnetfilter-conntrack-dev [linux-any],
+               libidn11-dev, libdbus-1-dev (>=0.61), libgmp-dev, nettle-dev (>=2.4-3)
 Maintainer: Simon Kelley <simon@thekelleys.org.uk>
 Standards-Version: 3.9.3
 

debian/rules

@@ -77,7 +77,7 @@ ifneq (,$(filter uselua,$(DEB_BUILD_OPTIONS)))
      DEB_COPTS += -DHAVE_LUASCRIPT
 endif
 
-ifneq (,$(filter usednssec,$(DEB_BUILD_OPTIONS)))
+ifeq (,$(filter nodnssec,$(DEB_BUILD_OPTIONS)))
      DEB_COPTS += -DHAVE_DNSSEC
 endif
 
@@ -126,12 +126,14 @@ binary-arch:	checkroot
 	        -d debian/base/usr/share/doc/$(package) \
 		-d debian/base/usr/share/doc/$(package)/examples \
 	        -d debian/base/var/run \
+		-d debian/base/usr/share/$(package) \
 	        -d debian/base/var/lib/misc
 	make $(TARGET) PREFIX=/usr DESTDIR=`pwd`/debian/base CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" COPTS="$(DEB_COPTS)" CC=gcc
 ifeq (,$(findstring nodocs,$(DEB_BUILD_OPTIONS)))
 	install -m 644 doc.html debian/base/usr/share/doc/$(package)/.
 	install -m 644 setup.html debian/base/usr/share/doc/$(package)/.
 	install -m 644 dnsmasq.conf.example debian/base/usr/share/doc/$(package)/examples/.
+	install -m 644 trust-anchors.conf debian/base/usr/share/$(package)/.
 	install -m 644 FAQ debian/base/usr/share/doc/$(package)/.
 	gzip -9 debian/base/usr/share/doc/$(package)/FAQ
 	install -m 644 CHANGELOG debian/base/usr/share/doc/$(package)/changelog

dnsmasq.conf.example

@@ -20,6 +20,10 @@
 # Never forward addresses in the non-routed address spaces.
 #bogus-priv
 
+# Uncomment these to enable DNSSEC validation and caching:
+# (Requires dnsmasq to be built with DNSSEC option.)
+#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf
+#dnssec
 
 # Uncomment this to filter useless windows-originated DNS requests
 # which can trigger dial-on-demand links needlessly.

man/dnsmasq.8

@@ -13,7 +13,10 @@ Dnsmasq accepts DNS queries and either answers them from a small, local,
 cache or forwards them to a real, recursive, DNS server. It loads the
 contents of /etc/hosts so that local hostnames
 which do not appear in the global DNS can be resolved and also answers
-DNS queries for DHCP configured hosts. It can also act as the authoritative DNS server for one or more domains, allowing local names to appear in the global DNS.
+DNS queries for DHCP configured hosts. It can also act as the
+authoritative DNS server for one or more domains, allowing local names
+to appear in the global DNS. It can be configured to do DNSSEC
+validation.
 .PP
 The dnsmasq DHCP server supports static address assignments and multiple
 networks. It automatically
@@ -587,12 +590,15 @@ validation by clients more efficient. Note that validation by clients is the mos
 clients unable to do validation, use of the AD bit set by dnsmasq is useful, provided that the network between 
 the dnsmasq server and the client is trusted. Dnsmasq must be compiled with HAVE_DNSSEC enabled, and DNSSEC
 trust anchors provided, see 
-.B --dnsskey.
+.B --trust-anchor.
 Because the DNSSEC validation process uses the cache, it is not permitted to reduce the cache size below the default when DNSSEC is enabled.
 .TP
-.B --dnskey=[<class>],<domain>,<flags>,<algorithm>,<base64-key>
-Provide DNSKEY records to act a trust anchors for DNSSEC validation. Typically these will be the keys for root zone,
-but trust anchors for limited domains are also possible. 
+.B --trust-anchor=[<class>],<domain>,<key-tag>,<algorithm>,<digest-type>,<digest>
+Provide DS records to act a trust anchors for DNSSEC
+validation. Typically these will be the DS record(s) for Zone Signing
+key(s) of the root zone,
+but trust anchors for limited domains are also possible. The current
+root-zone trust anchors may be donwloaded from https://data.iana.org/root-anchors/root-anchors.xml 
 .TP
 .B --proxy-dnssec
 Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clients and cache it.  This is an 
@@ -601,7 +607,10 @@ dnsmasq and the upstream servers, and the trustworthiness of the upstream server
 .TP
 .B --dnssec-debug
 Set debugging mode for the DNSSEC validation, set the Checking Disabled bit on upstream queries, 
-and don't convert BOGUS replies to SERVFAIL responses. 
+and don't convert replies which do not validate to responses with
+a return code of SERVFAIL. Note that
+setting this may affect DNS behaviour in bad ways, it is not an
+extra-logging flag and should not be set in production.
 .TP
 .B --auth-zone=<domain>[,<subnet>[/<prefix length>][,<subnet>[/<prefix length>].....]]
 Define a DNS zone for which dnsmasq acts as authoritative server. Locally defined DNS records which are in the domain

src/cache.c

@@ -55,7 +55,9 @@ static const struct {
   { 41,  "OPT" },
   { 43,  "DS" },
   { 46,  "RRSIG" },
+  { 47,  "NSEC" },
   { 48,  "DNSKEY" },
+  { 50,  "NSEC3" },
   { 249, "TKEY" },
   { 250, "TSIG" },
   { 251, "IXFR" },
@@ -458,7 +460,7 @@ struct crec *cache_insert(char *name, struct all_addr *addr,
     return NULL;
   
   /* First remove any expired entries and entries for the name/address we
-     are currently inserting. Fail is we attempt to delete a name from
+     are currently inserting. Fail if we attempt to delete a name from
      /etc/hosts or DHCP. */
   if (!cache_scan_free(name, addr, now, flags))
     {
@@ -592,10 +594,13 @@ void cache_end_insert(void)
   new_chain = NULL;
 }
 
-struct crec *cache_find_by_name(struct crec *crecp, char *name, time_t now, unsigned short prot)
+struct crec *cache_find_by_name(struct crec *crecp, char *name, time_t now, unsigned int prot)
 {
   struct crec *ans;
+  int no_rr = prot & F_NO_RR;
 
+  prot &= ~F_NO_RR;
+  
   if (crecp) /* iterating */
     ans = crecp->next;
   else
@@ -643,7 +648,7 @@ struct crec *cache_find_by_name(struct crec *crecp, char *name, time_t now, unsi
 		    }
 		  else
 		    {
-		      if (!insert)
+		      if (!insert && !no_rr)
 			{
 			  insert = up;
 			  ins_flags = crecp->flags & (F_REVERSE | F_IMMORTAL);
@@ -683,7 +688,7 @@ struct crec *cache_find_by_name(struct crec *crecp, char *name, time_t now, unsi
 }
 
 struct crec *cache_find_by_addr(struct crec *crecp, struct all_addr *addr, 
-				time_t now, unsigned short prot)
+				time_t now, unsigned int prot)
 {
   struct crec *ans;
 #ifdef HAVE_IPV6
@@ -980,7 +985,7 @@ void cache_reload(void)
   struct cname *a;
   struct interface_name *intr;
 #ifdef HAVE_DNSSEC
-  struct dnskey *key;
+  struct ds_config *ds;
 #endif
 
   cache_inserted = cache_live_freed = 0;
@@ -1026,17 +1031,17 @@ void cache_reload(void)
 	}
 
 #ifdef HAVE_DNSSEC
-  for (key = daemon->dnskeys; key; key = key->next)
+  for (ds = daemon->ds; ds; ds = ds->next)
     if ((cache = whine_malloc(sizeof(struct crec))) &&
-	(cache->addr.key.keydata = blockdata_alloc(key->key, key->keylen)))
+	(cache->addr.ds.keydata = blockdata_alloc(ds->digest, ds->digestlen)))
       {
-	cache->flags = F_FORWARD | F_IMMORTAL | F_DNSKEY | F_CONFIG | F_NAMEP;
-	cache->name.namep = key->name;
-	cache->addr.key.keylen = key->keylen;
-	cache->addr.key.algo = key->algo;
-	cache->addr.key.flags = key->flags;
-	cache->addr.key.keytag = dnskey_keytag(key->algo, key->flags, (unsigned char *)key->key, key->keylen);
-	cache->uid = key->class;
+	cache->flags = F_FORWARD | F_IMMORTAL | F_DS | F_CONFIG | F_NAMEP;
+	cache->name.namep = ds->name;
+	cache->addr.ds.keylen = ds->digestlen;
+	cache->addr.ds.algo = ds->algo;
+	cache->addr.ds.keytag = ds->keytag;
+	cache->addr.ds.digest = ds->digest_type;
+	cache->uid = ds->class;
 	cache_hash(cache);
       }
 #endif
@@ -1298,12 +1303,10 @@ void dump_cache(time_t now)
 	      {
 		if (cache->flags & F_DNSKEY)
 		  {
-		    char tp[20];
 		    /* RRSIG */
-		    querystr("", tp, cache->addr.sig.type_covered);
 		    a = daemon->addrbuff;
 		    sprintf(a, "%5u %3u %s", cache->addr.sig.keytag,
-			    cache->addr.sig.algo, tp);
+			    cache->addr.sig.algo, querystr("", cache->addr.sig.type_covered));
 		  }
 		else
 		  {
@@ -1379,14 +1382,45 @@ char *record_source(int index)
   return "<unknown>";
 }
 
-void querystr(char *desc, char *str, unsigned short type)
+char *querystr(char *desc, unsigned short type)
 {
   unsigned int i;
-  
-  sprintf(str, "%s[type=%d]", desc, type); 
+  int len = 10; /* strlen("type=xxxxx") */
+  const char *types = NULL;
+  static char *buff = NULL;
+  static int bufflen = 0;
+
   for (i = 0; i < (sizeof(typestr)/sizeof(typestr[0])); i++)
     if (typestr[i].type == type)
-      sprintf(str,"%s[%s]", desc, typestr[i].name);
+      {
+	types = typestr[i].name;
+	len = strlen(types);
+	break;
+      }
+
+  len += 3; /* braces, terminator */
+  len += strlen(desc);
+
+  if (!buff || bufflen < len)
+    {
+      if (buff)
+	free(buff);
+      else if (len < 20)
+	len = 20;
+      
+      buff = whine_malloc(len);
+      bufflen = len;
+    }
+
+  if (buff)
+    {
+      if (types)
+	sprintf(buff, "%s[%s]", desc, types);
+      else
+	sprintf(buff, "%s[type=%d]", desc, type);
+    }
+
+  return buff ? buff : "";
 }
 
 void log_query(unsigned int flags, char *name, struct all_addr *addr, char *arg)

src/config.h

@@ -19,6 +19,7 @@
 #define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */
 #define EDNS_PKTSZ 4096 /* default max EDNS.0 UDP packet from RFC5625 */
 #define KEYBLOCK_LEN 35 /* choose to mininise fragmentation when storing DNSSEC keys */
+#define DNSSEC_WORK 50 /* Max number of queries to validate one question */
 #define TIMEOUT 10 /* drop UDP queries after TIMEOUT seconds */
 #define FORWARD_TEST 50 /* try all servers every 50 queries */
 #define FORWARD_TIME 20 /* or 20 seconds */

src/dnsmasq.c

@@ -144,7 +144,7 @@ int main (int argc, char **argv)
   if (option_bool(OPT_DNSSEC_VALID))
     {
 #ifdef HAVE_DNSSEC
-      if (!daemon->dnskeys)
+      if (!daemon->ds)
 	die(_("No trust anchors provided for DNSSEC"), NULL, EC_BADCONF);
       
       if (daemon->cachesize < CACHESIZ)

src/dnsmasq.h

@@ -295,10 +295,10 @@ struct cname {
   struct cname *next;
 }; 
 
-struct dnskey {
-  char *name, *key;
-  int keylen, class, algo, flags;
-  struct dnskey *next;
+struct ds_config {
+  char *name, *digest;
+  int digestlen, class, algo, keytag, digest_type;
+  struct ds_config *next;
 };
 
 #define ADDRLIST_LITERAL 1
@@ -423,6 +423,7 @@ struct crec {
 #define F_DNSSEC    (1u<<22)
 #define F_KEYTAG    (1u<<23)
 #define F_SECSTAT   (1u<<24)
+#define F_NO_RR     (1u<<25)
 
 
 /* struct sockaddr is not large enough to hold any address,
@@ -538,6 +539,7 @@ struct hostsfile {
 #define FREC_HAS_SUBNET         4
 #define FREC_DNSKEY_QUERY       8
 #define FREC_DS_QUERY          16
+#define FREC_AD_QUESTION       32
 
 #ifdef HAVE_DNSSEC
 #define HASH_SIZE 20 /* SHA-1 digest size */
@@ -559,7 +561,7 @@ struct frec {
   time_t time;
   unsigned char *hash[HASH_SIZE];
 #ifdef HAVE_DNSSEC 
-  int class;
+  int class, work_counter;
   struct blockdata *stash; /* Saved reply, whilst we validate */
   size_t stash_len;
   struct frec *dependent; /* Query awaiting internally-generated DNSKEY or DS query */
@@ -928,7 +930,7 @@ extern struct daemon {
   struct prefix_class *prefix_classes;
 #endif
 #ifdef HAVE_DNSSEC
-  struct dnskey *dnskeys;
+  struct ds_config *ds;
 #endif
 
   /* globally used stuff for DNS */
@@ -990,12 +992,12 @@ extern struct daemon {
 void cache_init(void);
 void log_query(unsigned int flags, char *name, struct all_addr *addr, char *arg); 
 char *record_source(int index);
-void querystr(char *desc, char *str, unsigned short type);
+char *querystr(char *desc, unsigned short type);
 struct crec *cache_find_by_addr(struct crec *crecp,
 				struct all_addr *addr, time_t now, 
-				unsigned short prot);
+				unsigned int prot);
 struct crec *cache_find_by_name(struct crec *crecp, 
-				char *name, time_t now, unsigned short  prot);
+				char *name, time_t now, unsigned int prot);
 void cache_end_insert(void);
 void cache_start_insert(void);
 struct crec *cache_insert(char *name, struct all_addr *addr,
@@ -1040,7 +1042,8 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *namebuff,
 		      time_t now, char **ipsets, int is_sign, int checkrebind,
 		      int no_cache, int secure, int *doctored);
 size_t answer_request(struct dns_header *header, char *limit, size_t qlen,  
-		   struct in_addr local_addr, struct in_addr local_netmask, time_t now);
+		      struct in_addr local_addr, struct in_addr local_netmask, 
+		      time_t now, int *ad_reqd);
 int check_for_bogus_wildcard(struct dns_header *header, size_t qlen, char *name, 
 			     struct bogus_addr *addr, time_t now);
 unsigned char *find_pseudoheader(struct dns_header *header, size_t plen,
@@ -1104,9 +1107,6 @@ void prettyprint_time(char *buf, unsigned int t);
 int prettyprint_addr(union mysockaddr *addr, char *buf);
 int parse_hex(char *in, unsigned char *out, int maxlen, 
 	      unsigned int *wildcard_mask, int *mac_type);
-#ifdef HAVE_DNSSEC
-int parse_base64(char *in, char *out);
-#endif
 int memcmp_masked(unsigned char *a, unsigned char *b, int len, 
 		  unsigned int mask);
 int expand_buf(struct iovec *iov, size_t size);

src/dnssec.c

@@ -505,7 +505,7 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
        j != 0; j--) 
     {
       unsigned char *pstart, *pdata;
-      int stype, sclass, ttl;
+      int stype, sclass;
 
       pstart = p;
       
@@ -514,7 +514,7 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
       
       GETSHORT(stype, p);
       GETSHORT(sclass, p);
-      GETLONG(ttl, p);
+      p += 4; /* TTL */
       
       pdata = p;
 
@@ -531,6 +531,11 @@ static int validate_rrset(time_t now, struct dns_header *header, size_t plen, in
 		{
 		  unsigned char **new;
 
+		  /* Protect against insane/maliciuos queries which bloat the workspace
+		     and eat CPU in the sort */
+		  if (rrsetidx >= 100)
+		    return STAT_INSECURE; 
+
 		  /* expand */
 		  if (!(new = whine_malloc((rrset_sz + 5) * sizeof(unsigned char **))))
 		    return STAT_INSECURE;
@@ -1163,6 +1168,7 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
 			       type_covered == T_DNSKEY || type_covered == T_PTR)) 
 			    {
 			      a.addr.dnssec.type = type_covered;
+			      a.addr.dnssec.class = class1;
 			      
 			      algo = *p2++;
 			      p2 += 13; /* labels, orig_ttl, expiration, inception */
@@ -1368,12 +1374,12 @@ int dnskey_keytag(int alg, int flags, unsigned char *key, int keylen)
     }
   else
     {
-      unsigned long ac;
+      unsigned long ac = flags + 0x300 + alg;
       int i;
 
-      ac = ((htons(flags) >> 8) | ((htons(flags) << 8) & 0xff00)) + 0x300 + alg;
       for (i = 0; i < keylen; ++i)
         ac += (i & 1) ? key[i] : key[i] << 8;
+
       ac += (ac >> 16) & 0xffff;
       return ac & 0xffff;
     }
@@ -1382,9 +1388,7 @@ int dnskey_keytag(int alg, int flags, unsigned char *key, int keylen)
 size_t dnssec_generate_query(struct dns_header *header, char *end, char *name, int class, int type, union mysockaddr *addr)
 {
   unsigned char *p;
-  char types[20];
-  
-  querystr("dnssec-query", types, type);
+  char *types = querystr("dnssec-query", type);
 
   if (addr->sa.sa_family == AF_INET) 
     log_query(F_DNSSEC | F_IPV4, name, (struct all_addr *)&addr->in.sin_addr, types);

src/forward.c

@@ -234,7 +234,8 @@ static unsigned int search_servers(time_t now, struct all_addr **addrpp,
 
 static int forward_query(int udpfd, union mysockaddr *udpaddr,
 			 struct all_addr *dst_addr, unsigned int dst_iface,
-			 struct dns_header *header, size_t plen, time_t now, struct frec *forward)
+			 struct dns_header *header, size_t plen, time_t now, 
+			 struct frec *forward, int ad_reqd)
 {
   char *domain = NULL;
   int type = 0, norebind = 0;
@@ -249,9 +250,6 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
 #endif
  unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL);
 
-  /* RFC 4035: sect 4.6 para 2 */
-  header->hb4 &= ~HB4_AD;
-  
   /* may be no servers available. */
   if (!daemon->servers)
     forward = NULL;
@@ -334,6 +332,11 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
 	    forward->flags |= FREC_NOREBIND;
 	  if (header->hb4 & HB4_CD)
 	    forward->flags |= FREC_CHECKING_DISABLED;
+	  if (ad_reqd)
+	    forward->flags |= FREC_AD_QUESTION;
+#ifdef HAVE_DNSSEC
+	  forward->work_counter = DNSSEC_WORK;
+#endif
 
 	  header->id = htons(forward->new_id);
 	  
@@ -503,13 +506,15 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
 }
 
 static size_t process_reply(struct dns_header *header, time_t now, struct server *server, size_t n, int check_rebind, 
-			    int no_cache, int cache_secure, int check_subnet, union mysockaddr *query_source)
+			    int no_cache, int cache_secure, int ad_reqd, int check_subnet, union mysockaddr *query_source)
 {
   unsigned char *pheader, *sizep;
   char **sets = 0;
   int munged = 0, is_sign;
   size_t plen; 
 
+  (void)ad_reqd;
+
 #ifdef HAVE_IPSET
   /* Similar algorithm to search_servers. */
   struct ipsets *ipset_pos;
@@ -535,15 +540,13 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
 
   if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign)))
     {
-      if (!is_sign)
-	{
-	  unsigned short udpsz;
-	  unsigned char *psave = sizep;
-	  
-	  GETSHORT(udpsz, sizep);
-	  if (udpsz > daemon->edns_pktsz)
-	    PUTSHORT(daemon->edns_pktsz, psave);
-	}
+      unsigned short udpsz;
+      unsigned char *psave = sizep;
+      
+      GETSHORT(udpsz, sizep);
+
+      if (!is_sign && udpsz > daemon->edns_pktsz)
+	PUTSHORT(daemon->edns_pktsz, psave);
       
       if (check_subnet && !check_source(header, plen, pheader, query_source))
 	{
@@ -551,7 +554,7 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
 	  return 0;
 	}
     }
-      
+  
   /* RFC 4035 sect 4.6 para 3 */
   if (!is_sign && !option_bool(OPT_DNSSEC_PROXY))
      header->hb4 &= ~HB4_AD;
@@ -619,7 +622,7 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
   if (option_bool(OPT_DNSSEC_VALID))
     header->hb4 &= ~HB4_AD;
   
-  if (!(header->hb4 & HB4_CD) && cache_secure)
+  if (!(header->hb4 & HB4_CD) && ad_reqd && cache_secure)
     header->hb4 |= HB4_AD;
 #endif
 
@@ -705,7 +708,7 @@ void reply_query(int fd, int family, time_t now)
 	  if ((nn = resize_packet(header, (size_t)n, pheader, plen)))
 	    {
 	      header->hb3 &= ~(HB3_QR | HB3_TC);
-	      forward_query(-1, NULL, NULL, 0, header, nn, now, forward);
+	      forward_query(-1, NULL, NULL, 0, header, nn, now, forward, 0);
 	      return;
 	    }
 	}
@@ -775,15 +778,31 @@ void reply_query(int fd, int family, time_t now)
 	    status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
 	  else
 	    status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class);
-	    
+
 	  /* Can't validate, as we're missing key data. Put this
 	     answer aside, whilst we get that. */     
 	  if (status == STAT_NEED_DS || status == STAT_NEED_KEY)
 	    {
-	      struct frec *new;
+	      struct frec *new, *orig;
 	      
-	      if ((new = get_new_frec(now, NULL, 1)))
+	      /* Free any saved query */
+	      if (forward->stash)
+		blockdata_free(forward->stash);
+	      
+	      /* Now save reply pending receipt of key data */
+	      if (!(forward->stash = blockdata_alloc((char *)header, n)))
+		return;
+	      forward->stash_len = n;
+	      
+	    anotherkey:	      
+	      /* Find the original query that started it all.... */
+	      for (orig = forward; orig->dependent; orig = orig->dependent);
+
+	      if (--orig->work_counter == 0 || !(new = get_new_frec(now, NULL, 1)))
+		status = STAT_INSECURE;
+	      else
 		{
+		  int fd;
 		  struct frec *next = new->next;
 		  *new = *forward; /* copy everything, then overwrite */
 		  new->next = next;
@@ -794,80 +813,67 @@ void reply_query(int fd, int family, time_t now)
 #endif
 		  new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY);
 		  
-		  /* Free any saved query */
-		  if (forward->stash)
-		    blockdata_free(forward->stash);
+		  new->dependent = forward; /* to find query awaiting new one. */
+		  forward->blocking_query = new; /* for garbage cleaning */
+		  /* validate routines leave name of required record in daemon->keyname */
+		  if (status == STAT_NEED_KEY)
+		    {
+		      new->flags |= FREC_DNSKEY_QUERY; 
+		      nn = dnssec_generate_query(header, ((char *) header) + daemon->packet_buff_sz,
+						 daemon->keyname, forward->class, T_DNSKEY, &server->addr);
+		    }
+		  else 
+		    {
+		      new->flags |= FREC_DS_QUERY;
+		      nn = dnssec_generate_query(header,((char *) header) + daemon->packet_buff_sz,
+						 daemon->keyname, forward->class, T_DS, &server->addr);
+		    }
+		  if ((hash = hash_questions(header, nn, daemon->namebuff)))
+		    memcpy(new->hash, hash, HASH_SIZE);
+		  new->new_id = get_id();
+		  header->id = htons(new->new_id);
+		  /* Save query for retransmission */
+		  new->stash = blockdata_alloc((char *)header, nn);
+		  new->stash_len = nn;
 		  
-		  /* Now save reply pending receipt of key data */
-		  if (!(forward->stash = blockdata_alloc((char *)header, n)))
-		    free_frec(new); /* malloc failure, unwind */
+		  /* Don't resend this. */
+		  daemon->srv_save = NULL;
+		  
+		  if (server->sfd)
+		    fd = server->sfd->fd;
 		  else
 		    {
-		      int fd;
-		      
-		      forward->stash_len = n;
-		      
-		      new->dependent = forward; /* to find query awaiting new one. */
-		      forward->blocking_query = new; /* for garbage cleaning */
-		      /* validate routines leave name of required record in daemon->keyname */
-		      if (status == STAT_NEED_KEY)
-			{
-			  new->flags |= FREC_DNSKEY_QUERY; 
-			  nn = dnssec_generate_query(header, ((char *) header) + daemon->packet_buff_sz,
-						     daemon->keyname, forward->class, T_DNSKEY, &server->addr);
-			}
-		      else 
-			{
-			  new->flags |= FREC_DS_QUERY;
-			  nn = dnssec_generate_query(header,((char *) header) + daemon->packet_buff_sz,
-						     daemon->keyname, forward->class, T_DS, &server->addr);
-			}
-		      if ((hash = hash_questions(header, nn, daemon->namebuff)))
-			memcpy(new->hash, hash, HASH_SIZE);
-		      new->new_id = get_id();
-		      header->id = htons(new->new_id);
-		      /* Save query for retransmission */
-		      new->stash = blockdata_alloc((char *)header, nn);
-		      new->stash_len = nn;
-
-		      /* Don't resend this. */
-		      daemon->srv_save = NULL;
-	
-		      if (server->sfd)
-			fd = server->sfd->fd;
-		      else
-			{
-			  fd = -1;
+		      fd = -1;
 #ifdef HAVE_IPV6
-			  if (server->addr.sa.sa_family == AF_INET6)
-			    {
-			      if (new->rfd6 || (new->rfd6 = allocate_rfd(AF_INET6)))
-				fd = new->rfd6->fd;
-			    }
-			  else
-#endif
-			    {
-			      if (new->rfd4 || (new->rfd4 = allocate_rfd(AF_INET)))
-				fd = new->rfd4->fd;
-			    }
-			}
-		      
-		      if (fd != -1)
+		      if (server->addr.sa.sa_family == AF_INET6)
 			{
-			  while (sendto(fd, (char *)header, nn, 0, &server->addr.sa, sa_len(&server->addr)) == -1 && retry_send()); 
-			  server->queries++;
+			  if (new->rfd6 || (new->rfd6 = allocate_rfd(AF_INET6)))
+			    fd = new->rfd6->fd;
+			}
+		      else
+#endif
+			{
+			  if (new->rfd4 || (new->rfd4 = allocate_rfd(AF_INET)))
+			    fd = new->rfd4->fd;
 			}
 		    }
+		  
+		  if (fd != -1)
+		    {
+		      while (sendto(fd, (char *)header, nn, 0, &server->addr.sa, sa_len(&server->addr)) == -1 && retry_send()); 
+		      server->queries++;
+		    }
+		  
+		  return;
 		}
-	     
-	      return;
 	    }
 	  
 	  /* Ok, we reached far enough up the chain-of-trust that we can validate something.
 	     Now wind back down, pulling back answers which wouldn't previously validate
-	     and validate them with the new data. Failure to find needed data here is an internal error.
-	     Once we get to the original answer (FREC_DNSSEC_QUERY not set) and it validates,
-	     return it to the original requestor. */
+	     and validate them with the new data. Note that if an answer needs multiple
+	     keys to validate, we may find another key is needed, in which case we set off
+	     down another branch of the tree. Once we get to the original answer 
+	     (FREC_DNSSEC_QUERY not set) and it validates, return it to the original requestor. */
 	  while (forward->dependent)
 	    {
 	      struct frec *prev = forward->dependent;
@@ -887,18 +893,23 @@ void reply_query(int fd, int family, time_t now)
 		    status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class);	
 		  
 		  if (status == STAT_NEED_DS || status == STAT_NEED_KEY)
-		    {
-		      my_syslog(LOG_ERR, _("Unexpected missing data for DNSSEC validation"));
-		      status = STAT_INSECURE;
-		    }
+		    goto anotherkey;
 		}
 	    }
 	  
 	  if (status == STAT_TRUNCATED)
 	    header->hb3 |= HB3_TC;
 	  else
-	    log_query(F_KEYTAG | F_SECSTAT, "result", NULL, 
-		      status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
+	    {
+	      char *result;
+	      
+	      if (forward->work_counter == 0)
+		result = "ABANDONED";
+	      else
+		result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
+	      
+	      log_query(F_KEYTAG | F_SECSTAT, "result", NULL, result);
+	    }
 	  
 	  no_cache_dnssec = 0;
 	  
@@ -906,17 +917,17 @@ void reply_query(int fd, int family, time_t now)
 	    cache_secure = 1;
 	  else if (status == STAT_BOGUS)
 	    no_cache_dnssec = 1;
-	  
-	  /* restore CD bit to the value in the query */
-	  if (forward->flags & FREC_CHECKING_DISABLED)
-	    header->hb4 |= HB4_CD;
-	  else
-	    header->hb4 &= ~HB4_CD;
 	}
-#endif
+#endif     
+      
+      /* restore CD bit to the value in the query */
+      if (forward->flags & FREC_CHECKING_DISABLED)
+	header->hb4 |= HB4_CD;
+      else
+	header->hb4 &= ~HB4_CD;
       
       if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, no_cache_dnssec, cache_secure,
-			      forward->flags & FREC_HAS_SUBNET, &forward->source)))
+			      forward->flags & FREC_AD_QUESTION, forward->flags & FREC_HAS_SUBNET, &forward->source)))
 	{
 	  header->id = htons(forward->orig_id);
 	  header->hb4 |= HB4_RA; /* recursion if available */
@@ -1117,13 +1128,11 @@ void receive_query(struct listener *listen, time_t now)
   
   if (extract_request(header, (size_t)n, daemon->namebuff, &type))
     {
-      char types[20];
 #ifdef HAVE_AUTH
       struct auth_zone *zone;
 #endif
-
-      querystr(auth_dns ? "auth" : "query", types, type);
-
+      char *types = querystr(auth_dns ? "auth" : "query", type);
+      
       if (listen->family == AF_INET) 
 	log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff, 
 		  (struct all_addr *)&source_addr.in.sin_addr, types);
@@ -1160,8 +1169,9 @@ void receive_query(struct listener *listen, time_t now)
   else
 #endif
     {
+      int ad_reqd;
       m = answer_request(header, ((char *) header) + daemon->packet_buff_sz, (size_t)n, 
-			 dst_addr_4, netmask, now);
+			 dst_addr_4, netmask, now, &ad_reqd);
       
       if (m >= 1)
 	{
@@ -1170,7 +1180,7 @@ void receive_query(struct listener *listen, time_t now)
 	  daemon->local_answer++;
 	}
       else if (forward_query(listen->fd, &source_addr, &dst_addr, if_index,
-			     header, (size_t)n, now, NULL))
+			     header, (size_t)n, now, NULL, ad_reqd))
 	daemon->queries_forwarded++;
       else
 	daemon->local_answer++;
@@ -1178,60 +1188,73 @@ void receive_query(struct listener *listen, time_t now)
 }
 
 #ifdef HAVE_DNSSEC
-static int tcp_key_recurse(time_t now, int status, int class, char *keyname, struct server *server)
+static int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n, 
+			   int class, char *name, char *keyname, struct server *server, int *keycount)
 {
   /* Recurse up the key heirarchy */
-  size_t n; 
-  unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
-  unsigned char *payload = &packet[2];
-  struct dns_header *header = (struct dns_header *)payload;
-  u16 *length = (u16 *)packet;
   int new_status;
-  unsigned char c1, c2;
 
-  n = dnssec_generate_query(header, ((char *) header) + 65536, keyname, class, 
-			    status == STAT_NEED_KEY ? T_DNSKEY : T_DS, &server->addr);
+  /* limit the amount of work we do, to avoid cycling forever on loops in the DNS */
+  if (--(*keycount) == 0)
+    return STAT_INSECURE;
   
-  *length = htons(n);
-  
-  if (!read_write(server->tcpfd, packet, n + sizeof(u16), 0) ||
-      !read_write(server->tcpfd, &c1, 1, 1) ||
-      !read_write(server->tcpfd, &c2, 1, 1) ||
-      !read_write(server->tcpfd, payload, (c1 << 8) | c2, 1))
-    {
-      close(server->tcpfd);
-      server->tcpfd = -1;
-      new_status = STAT_INSECURE;
-    }
+  if (status == STAT_NEED_KEY)
+    new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class);
+  else if (status == STAT_NEED_DS)
+    new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
   else
+    new_status = dnssec_validate_reply(now, header, n, name, keyname, &class);
+  
+  /* Can't validate because we need a key/DS whose name now in keyname.
+     Make query for same, and recurse to validate */
+  if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY)
     {
-      n = (c1 << 8) | c2;
+      size_t m; 
+      unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
+      unsigned char *payload = &packet[2];
+      struct dns_header *new_header = (struct dns_header *)payload;
+      u16 *length = (u16 *)packet;
+      unsigned char c1, c2;
+       
+      if (!packet)
+	return STAT_INSECURE;
+
+    another_tcp_key:
+      m = dnssec_generate_query(new_header, ((char *) new_header) + 65536, keyname, class, 
+				new_status == STAT_NEED_KEY ? T_DNSKEY : T_DS, &server->addr);
       
-      if (status == STAT_NEED_KEY)
-	new_status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, class);
+      *length = htons(m);
+      
+      if (!read_write(server->tcpfd, packet, m + sizeof(u16), 0) ||
+	  !read_write(server->tcpfd, &c1, 1, 1) ||
+	  !read_write(server->tcpfd, &c2, 1, 1) ||
+	  !read_write(server->tcpfd, payload, (c1 << 8) | c2, 1))
+	new_status = STAT_INSECURE;
       else
-	new_status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, class);
-      
-      if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY)
 	{
-	  if ((new_status = tcp_key_recurse(now, new_status, class, daemon->keyname, server) == STAT_SECURE))
+	  m = (c1 << 8) | c2;
+	  
+	  if (tcp_key_recurse(now, new_status, new_header, m, class, name, keyname, server, keycount) == STAT_SECURE)
 	    {
-	      if (status ==  STAT_NEED_KEY)
-		new_status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, class);
-	      else
-		new_status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, class);
+	      /* Reached a validated record, now try again at this level.
+		 Note that we may get ANOTHER NEED_* if an answer needs more than one key.
+		 If so, go round again. */
 	      
+	      if (status == STAT_NEED_KEY)
+		new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class);
+	      else if (status == STAT_NEED_DS)
+		new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
+	      else
+		new_status = dnssec_validate_reply(now, header, n, name, keyname, &class);
+
 	      if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY)
-		{
-		  my_syslog(LOG_ERR, _("Unexpected missing data for DNSSEC validation"));
-		  status = STAT_INSECURE;
-		}
+		goto another_tcp_key;
 	    }
 	}
+
+      free(packet);
     }
-
-  free(packet);
-
+  
   return new_status;
 }
 #endif
@@ -1249,7 +1272,7 @@ unsigned char *tcp_request(int confd, time_t now,
 #ifdef HAVE_AUTH
   int local_auth = 0;
 #endif
-  int checking_disabled, check_subnet, no_cache_dnssec = 0, cache_secure = 0;
+  int checking_disabled, ad_question, check_subnet, no_cache_dnssec = 0, cache_secure = 0;
   size_t m;
   unsigned short qtype;
   unsigned int gotname;
@@ -1285,16 +1308,12 @@ unsigned char *tcp_request(int confd, time_t now,
       if ((checking_disabled = header->hb4 & HB4_CD))
 	no_cache_dnssec = 1;
        
-      /* RFC 4035: sect 4.6 para 2 */
-      header->hb4 &= ~HB4_AD;
-      
       if ((gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype)))
 	{
-	  char types[20];
 #ifdef HAVE_AUTH
 	  struct auth_zone *zone;
 #endif
-	  querystr(auth_dns ? "auth" : "query", types, qtype);
+	  char *types = querystr(auth_dns ? "auth" : "query", qtype);
 	  
 	  if (peer_addr.sa.sa_family == AF_INET) 
 	    log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff, 
@@ -1331,7 +1350,7 @@ unsigned char *tcp_request(int confd, time_t now,
 	{
 	  /* m > 0 if answered from cache */
 	  m = answer_request(header, ((char *) header) + 65536, (size_t)size, 
-			     dst_addr_4, netmask, now);
+			     dst_addr_4, netmask, now, &ad_question);
 	  
 	  /* Do this by steam now we're not in the select() loop */
 	  check_log_writer(NULL); 
@@ -1463,22 +1482,20 @@ unsigned char *tcp_request(int confd, time_t now,
 #ifdef HAVE_DNSSEC
 		      if (option_bool(OPT_DNSSEC_VALID) && !checking_disabled)
 			{
-			  int class, status;
-			  
-			  status = dnssec_validate_reply(now, header, m, daemon->namebuff, daemon->keyname, &class);
-			  
-			  if (status == STAT_NEED_DS || status == STAT_NEED_KEY)
-			    {
-			      if ((status = tcp_key_recurse(now, status, class, daemon->keyname, last_server)) == STAT_SECURE)
-				status = dnssec_validate_reply(now, header, m, daemon->namebuff, daemon->keyname, &class);
-			    }
-
-			  log_query(F_KEYTAG | F_SECSTAT, "result", NULL, 
-				    status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
+			  int keycount = DNSSEC_WORK; /* Limit to number of DNSSEC questions, to catch loops and avoid filling cache. */
+			  int status = tcp_key_recurse(now, STAT_TRUNCATED, header, m, 0, daemon->namebuff, daemon->keyname, last_server, &keycount);
+			  char *result;
 
+			  if (keycount == 0)
+			    result = "ABANDONED";
+			  else
+			    result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
+			  
+			  log_query(F_KEYTAG | F_SECSTAT, "result", NULL, result);
+			  
 			  if (status == STAT_BOGUS)
 			    no_cache_dnssec = 1;
-
+			  
 			  if (status == STAT_SECURE)
 			    cache_secure = 1;
 			}
@@ -1513,7 +1530,7 @@ unsigned char *tcp_request(int confd, time_t now,
 
 		      m = process_reply(header, now, last_server, (unsigned int)m, 
 					option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec,
-					cache_secure, check_subnet, &peer_addr); 
+					cache_secure, ad_question, check_subnet, &peer_addr); 
 		      
 		      break;
 		    }

src/option.c

@@ -139,7 +139,7 @@ struct myoption {
 #define LOPT_QUIET_DHCP6  327
 #define LOPT_QUIET_RA     328
 #define LOPT_SEC_VALID    329
-#define LOPT_DNSKEY       330
+#define LOPT_TRUST_ANCHOR 330
 #define LOPT_DNSSEC_DEBUG 331
 
 #ifdef HAVE_GETOPT_LONG
@@ -277,7 +277,7 @@ static const struct myoption opts[] =
     { "ipset", 1, 0, LOPT_IPSET },
     { "synth-domain", 1, 0, LOPT_SYNTH },
     { "dnssec", 0, 0, LOPT_SEC_VALID },
-    { "dnskey", 1, 0, LOPT_DNSKEY },
+    { "trust-anchor", 1, 0, LOPT_TRUST_ANCHOR },
     { "dnssec-debug", 0, 0, LOPT_DNSSEC_DEBUG },
 #ifdef OPTION6_PREFIX_CLASS 
     { "dhcp-prefix-class", 1, 0, LOPT_PREF_CLSS },
@@ -430,7 +430,7 @@ static struct {
   { LOPT_IPSET, ARG_DUP, "/<domain>/<ipset>[,<ipset>...]", gettext_noop("Specify ipsets to which matching domains should be added"), NULL },
   { LOPT_SYNTH, ARG_DUP, "<domain>,<range>,[<prefix>]", gettext_noop("Specify a domain and address range for synthesised names"), NULL },
   { LOPT_SEC_VALID, OPT_DNSSEC_VALID, NULL, gettext_noop("Activate DNSSEC validation"), NULL },
-  { LOPT_DNSKEY, ARG_DUP, "<domain>,<algo>,<key>", gettext_noop("Specify trust anchor DNSKEY"), NULL },
+  { LOPT_TRUST_ANCHOR, ARG_DUP, "<domain>,[<class>],...", gettext_noop("Specify trust anchor key digest."), NULL },
   { LOPT_DNSSEC_DEBUG, OPT_DNSSEC_DEBUG, NULL, gettext_noop("Disable upstream checking for DNSSEC debugging."), NULL },
 #ifdef OPTION6_PREFIX_CLASS 
   { LOPT_PREF_CLSS, ARG_DUP, "set:tag,<class>", gettext_noop("Specify DHCPv6 prefix class"), NULL },
@@ -590,6 +590,16 @@ static int atoi_check16(char *a, int *res)
 
   return 1;
 }
+
+static int atoi_check8(char *a, int *res)
+{
+  if (!(atoi_check(a, res)) ||
+      *res < 0 ||
+      *res > 0xff)
+    return 0;
+
+  return 1;
+}
 	
 static void add_txt(char *name, char *txt)
 {
@@ -3675,10 +3685,11 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
       }
 
 #ifdef HAVE_DNSSEC
-    case LOPT_DNSKEY:
+    case LOPT_TRUST_ANCHOR:
       {
-	struct dnskey *new = opt_malloc(sizeof(struct dnskey));
-      	char *key64, *algo = NULL;
+	struct ds_config *new = opt_malloc(sizeof(struct ds_config));
+      	char *cp, *cp1, *keyhex, *digest, *algo = NULL;
+	int len;
 	
 	new->class = C_IN;
 
@@ -3700,20 +3711,30 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
 	      }
 	  }
 		  
-       	if (!comma || !algo || !(key64 = split(algo)) ||
-	    !atoi_check16(comma, &new->flags) || !atoi_check16(algo, &new->algo) ||
+       	if (!comma || !algo || !(digest = split(algo)) || !(keyhex = split(digest)) ||
+	    !atoi_check16(comma, &new->keytag) || 
+	    !atoi_check8(algo, &new->algo) ||
+	    !atoi_check8(digest, &new->digest_type) ||
 	    !(new->name = canonicalise_opt(arg)))
-	  ret_err(_("bad DNSKEY"));
+	  ret_err(_("bad trust anchor"));
 	    
 	/* Upper bound on length */
-	new->key = opt_malloc((3*strlen(key64)/4)+1);
-	unhide_metas(key64);
-	if ((new->keylen = parse_base64(key64, new->key)) == -1)
-	  ret_err(_("bad base64 in DNSKEY"));
+	len = (2*strlen(keyhex))+1;
+	new->digest = opt_malloc(len);
+	unhide_metas(keyhex);
+	/* 4034: "Whitespace is allowed within digits" */
+	for (cp = keyhex; *cp; )
+	  if (isspace(*cp))
+	    for (cp1 = cp; *cp1; cp1++)
+	      *cp1 = *(cp1+1);
+	  else
+	    cp++;
+	if ((new->digestlen = parse_hex(keyhex, (unsigned char *)new->digest, len, NULL, NULL)) == -1)
+	  ret_err(_("bad HEX in trust anchor"));
+	
+	new->next = daemon->ds;
+	daemon->ds = new;
 	
-	new->next = daemon->dnskeys;
-	daemon->dnskeys = new;
-
 	break;
       }
 #endif

src/rfc1035.c

@@ -1242,7 +1242,7 @@ int check_for_local_domain(char *name, time_t now)
   struct ptr_record *ptr;
   struct naptr *naptr;
 
-  if ((crecp = cache_find_by_name(NULL, name, now, F_IPV4 | F_IPV6 | F_CNAME)) &&
+  if ((crecp = cache_find_by_name(NULL, name, now, F_IPV4 | F_IPV6 | F_CNAME | F_NO_RR)) &&
       (crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)))
     return 1;
   
@@ -1452,7 +1452,8 @@ static unsigned long crec_ttl(struct crec *crecp, time_t now)
 
 /* return zero if we can't answer from cache, or packet size if we can */
 size_t answer_request(struct dns_header *header, char *limit, size_t qlen,  
-		      struct in_addr local_addr, struct in_addr local_netmask, time_t now) 
+		      struct in_addr local_addr, struct in_addr local_netmask, 
+		      time_t now, int *ad_reqd) 
 {
   char *name = daemon->namebuff;
   unsigned char *p, *ansp, *pheader;
@@ -1468,10 +1469,13 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
   struct mx_srv_record *rec;
   size_t len;
  
-  /* Don't return AD set even for local data if checking disabled. */
+  /* Don't return AD set if checking disabled. */
   if (header->hb4 & HB4_CD)
     sec_data = 0;
-
+  
+  /* RFC 6840 5.7 */
+  *ad_reqd = header->hb4 & HB4_AD;
+  
   /* If there is an RFC2671 pseudoheader then it will be overwritten by
      partial replies, so we have to do a dry run to see if we can answer
      the query. We check to see if the do bit is set, if so we always
@@ -1490,6 +1494,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
       GETSHORT(flags, pheader);
       
       sec_reqd = flags & 0x8000; /* do bit */ 
+      *ad_reqd = 1;
 
       /* If our client is advertising a larger UDP packet size
 	 than we allow, trim it so that we don't get an overlarge
@@ -1551,37 +1556,33 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 	}
 
 #ifdef HAVE_DNSSEC
-      if (option_bool(OPT_DNSSEC_VALID) && (qtype == T_DNSKEY || qtype == T_DS || qtype == T_RRSIG))
+      if (option_bool(OPT_DNSSEC_VALID) && (qtype == T_DNSKEY || qtype == T_DS))
 	{
-	  int gotone = 0, have_rrsig = 0;
+	  int gotone = 0;
 	  struct blockdata *keydata;
 
 	  /* Do we have RRSIG? Can't do DS or DNSKEY otherwise. */
-	  crecp = NULL;
-	  while ((crecp = cache_find_by_name(crecp, name, now, F_DNSKEY | F_DS)))
-	    if (crecp->uid == qclass && (qtype == T_RRSIG || crecp->addr.sig.type_covered == qtype))
-	      {
-		have_rrsig = 1;
-		break;
-	      }
-	  
-	  if (qtype == T_RRSIG && have_rrsig)
+	  if (sec_reqd)
 	    {
-	      ans = gotone = 1;
-	      auth = 0;
-	    }
-	  else if (qtype == T_DS && have_rrsig)
-	    {
-	      auth = 0;
 	      crecp = NULL;
-	      while ((crecp = cache_find_by_name(crecp, name, now, F_DS)))
-		if (crecp->uid == qclass)
-		  {
-		    ans = gotone = 1;
-		    if (!dryrun && (keydata = blockdata_retrieve(crecp->addr.ds.keydata, crecp->addr.ds.keylen, NULL)))
-		      {			     			      
-			struct all_addr a;
-			a.addr.keytag =  crecp->addr.ds.keytag;
+	      while ((crecp = cache_find_by_name(crecp, name, now, F_DNSKEY | F_DS)))
+		if (crecp->uid == qclass && crecp->addr.sig.type_covered == qtype)
+		  break;
+	    }
+	  
+	  if (!sec_reqd || crecp)
+	    {
+	      if (qtype == T_DS)
+		{
+		  crecp = NULL;
+		  while ((crecp = cache_find_by_name(crecp, name, now, F_DS)))
+		    if (crecp->uid == qclass)
+		      {
+			gotone = 1;
+			if (!dryrun && (keydata = blockdata_retrieve(crecp->addr.ds.keydata, crecp->addr.ds.keylen, NULL)))
+			  {			     			      
+			    struct all_addr a;
+			    a.addr.keytag =  crecp->addr.ds.keytag;
 			    log_query(F_KEYTAG | (crecp->flags & F_CONFIG), name, &a, "DS keytag %u");
 			    if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
 						    crec_ttl(crecp, now), &nameoffset,
@@ -1589,20 +1590,16 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 						    crecp->addr.ds.keytag, crecp->addr.ds.algo, crecp->addr.ds.digest, crecp->addr.ds.keylen, keydata))
 			      anscount++;
 			    
-		      } 
-		  }
-	    }
-	  else if (qtype == T_DNSKEY)
-	    {
-	      crecp = NULL;
-	      while ((crecp = cache_find_by_name(crecp, name, now, F_DNSKEY)))
-		if (crecp->uid == qclass)
-		  {
-		    if ((crecp->flags & F_CONFIG) || have_rrsig) /* Return configured keys without an RRISG */
+			  } 
+		      }
+		}
+	      else /* DNSKEY */
+		{
+		  crecp = NULL;
+		  while ((crecp = cache_find_by_name(crecp, name, now, F_DNSKEY)))
+		    if (crecp->uid == qclass)
 		      {
-			if (!(crecp->flags & F_CONFIG))
-			  auth = 0, gotone = 1;
-			ans = 1;
+			gotone = 1;
 			if (!dryrun && (keydata = blockdata_retrieve(crecp->addr.key.keydata, crecp->addr.key.keylen, NULL)))
 			  {			     			      
 			    struct all_addr a;
@@ -1615,30 +1612,27 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 			      anscount++;
 			  }
 		      }
-		  }
+		}
 	    }
-	      
+	  
 	  /* Now do RRSIGs */
 	  if (gotone)
 	    {
-	      crecp = NULL;
-	      while ((crecp = cache_find_by_name(crecp, name, now, F_DNSKEY | F_DS)))
-		if (crecp->uid == qclass && (qtype == T_RRSIG || (sec_reqd && crecp->addr.sig.type_covered == qtype)) &&
-		    !dryrun &&
-		    (keydata = blockdata_retrieve(crecp->addr.sig.keydata, crecp->addr.sig.keylen, NULL)))
-		  {
-		    if (qtype == T_RRSIG)
+	      ans = 1;
+	      auth = 0;
+	      if (!dryrun && sec_reqd)
+		{
+		  crecp = NULL;
+		  while ((crecp = cache_find_by_name(crecp, name, now, F_DNSKEY | F_DS)))
+		    if (crecp->uid == qclass && crecp->addr.sig.type_covered == qtype &&
+			(keydata = blockdata_retrieve(crecp->addr.sig.keydata, crecp->addr.sig.keylen, NULL)))
 		      {
-			char types[20];
-			querystr("rrsig", types, crecp->addr.sig.type_covered);
-			log_query(F_RRNAME, name, NULL, types);
-		      }
-		    if ((keydata = blockdata_retrieve(crecp->addr.sig.keydata, crecp->addr.sig.keylen, NULL)) &&
 			add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
 					    crec_ttl(crecp, now), &nameoffset,
-					    T_RRSIG, qclass, "t", crecp->addr.sig.keylen, keydata))
-		      anscount++;
-		  }
+					    T_RRSIG, qclass, "t", crecp->addr.sig.keylen, keydata);
+			anscount++;
+		      }
+		}
 	    }
 	}
 #endif	     
@@ -1742,24 +1736,25 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 		      else if (crecp->flags & F_DNSSECOK)
 			{
 			  int gotsig = 0;
-			  
-			  crecp = NULL;
-			  while ((crecp = cache_find_by_name(crecp, name, now, F_DS | F_DNSKEY)))
+			  struct crec *rr_crec = NULL;
+
+			  while ((rr_crec = cache_find_by_name(rr_crec, name, now, F_DS | F_DNSKEY)))
 			    {
-			      if (crecp->addr.sig.type_covered == T_PTR && crecp->uid == C_IN)
+			      if (rr_crec->addr.sig.type_covered == T_PTR && rr_crec->uid == C_IN)
 				{
-				  char *sigdata = blockdata_retrieve(crecp->addr.sig.keydata, crecp->addr.sig.keylen, NULL);
+				  char *sigdata = blockdata_retrieve(rr_crec->addr.sig.keydata, rr_crec->addr.sig.keylen, NULL);
 				  gotsig = 1;
 				  
 				  if (!dryrun && 
 				      add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
-							  crecp->ttd - now, &nameoffset,
+							  rr_crec->ttd - now, &nameoffset,
 							  T_RRSIG, C_IN, "t", crecp->addr.sig.keylen, sigdata))
 				    anscount++;
 				}
 			    } 
-			  /* Need to re-run original cache search */
-			  crecp = gotsig ? cache_find_by_addr(NULL, &addr, now, is_arpa) : NULL;
+			  
+			  if (!gotsig)
+			    crecp = NULL;
 			}
 #endif
 		    }
@@ -1923,7 +1918,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 		}
 
 	    cname_restart:
-	      if ((crecp = cache_find_by_name(NULL, name, now, flag | F_CNAME)))
+	      if ((crecp = cache_find_by_name(NULL, name, now, flag | F_CNAME | (dryrun ? F_NO_RR : 0))))
 		{
 		  int localise = 0;
 		  
@@ -1954,7 +1949,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 		      else if (crecp->flags & F_DNSSECOK)
 			{
 			  /* We're returning validated data, need to return the RRSIG too. */
-			  
+			  struct crec *rr_crec = NULL;
 			  int sigtype = type;
 			  /* The signature may have expired even though the data is still in cache, 
 			     forward instead of answering from cache if so. */
@@ -1963,23 +1958,23 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 			  if (crecp->flags & F_CNAME)
 			    sigtype = T_CNAME;
 			  
-			  crecp = NULL;
-			  while ((crecp = cache_find_by_name(crecp, name, now, F_DS | F_DNSKEY)))
+			  while ((rr_crec = cache_find_by_name(rr_crec, name, now, F_DS | F_DNSKEY)))
 			    {
-			      if (crecp->addr.sig.type_covered == sigtype && crecp->uid == C_IN)
+			      if (rr_crec->addr.sig.type_covered == sigtype && rr_crec->uid == C_IN)
 				{
-				  char *sigdata = blockdata_retrieve(crecp->addr.sig.keydata, crecp->addr.sig.keylen, NULL);
+				  char *sigdata = blockdata_retrieve(rr_crec->addr.sig.keydata, rr_crec->addr.sig.keylen, NULL);
 				  gotsig = 1;
 				  
 				  if (!dryrun && 
 				      add_resource_record(header, limit, &trunc, nameoffset, &ansp, 
-							  crecp->ttd - now, &nameoffset,
-							  T_RRSIG, C_IN, "t", crecp->addr.sig.keylen, sigdata))
+							  rr_crec->ttd - now, &nameoffset,
+							  T_RRSIG, C_IN, "t", rr_crec->addr.sig.keylen, sigdata))
 				    anscount++;
 				}
 			    }
-			  /* Need to re-run original cache search */
-			  crecp = gotsig ? cache_find_by_name(NULL, name, now, flag | F_CNAME) : NULL;
+			  
+			  if (!gotsig)
+			    crecp = NULL;
 			}
 #endif
 		    }		 
@@ -2072,7 +2067,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 	  if (qtype == T_CNAME || qtype == T_ANY)
 	    {
 	      if ((crecp = cache_find_by_name(NULL, name, now, F_CNAME)) &&
-		  (qtype == T_CNAME || (crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG))))
+		  (qtype == T_CNAME || (crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG  | (dryrun ? F_NO_RR : 0)))))
 		{
 		  if (!(crecp->flags & F_DNSSECOK))
 		    sec_data = 0;
@@ -2111,7 +2106,7 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
 		  }
 	      
 	      if (!found && (option_bool(OPT_SELFMX) || option_bool(OPT_LOCALMX)) && 
-		  cache_find_by_name(NULL, name, now, F_HOSTS | F_DHCP))
+		  cache_find_by_name(NULL, name, now, F_HOSTS | F_DHCP | F_NO_RR))
 		{ 
 		  ans = 1;
 		  if (!dryrun)
@@ -2263,17 +2258,16 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
   header->ancount = htons(anscount);
   header->nscount = htons(0);
   header->arcount = htons(addncount);
-  
-  header->hb4 &= ~HB4_AD;
+
   len = ansp - (unsigned char *)header;
   
   if (have_pseudoheader)
-    {
-      len = add_pseudoheader(header, len, (unsigned char *)limit, 0, NULL, 0, sec_reqd);
-      if (sec_reqd && sec_data)
-	header->hb4 |= HB4_AD;
-
-    }
+    len = add_pseudoheader(header, len, (unsigned char *)limit, 0, NULL, 0, sec_reqd);
+  
+  if (*ad_reqd && sec_data)
+    header->hb4 |= HB4_AD;
+  else
+    header->hb4 &= ~HB4_AD;
   
   return len;
 }

src/util.c

@@ -482,66 +482,6 @@ int parse_hex(char *in, unsigned char *out, int maxlen,
   return i;
 }
 
-#ifdef HAVE_DNSSEC
-static int charval(char c)
-{
-  if (c >= 'A' && c <= 'Z')
-    return c - 'A';
-  
-  if (c >= 'a' && c <= 'z')
-    return c - 'a' + 26;
-
-  if (c >= '0' && c <= '9')
-    return c - '0' + 52;
-
-  if (c == '+')
-    return 62;
-  
-  if (c == '/')
-    return 63;
-
-  if (c == '=')
-    return -1;
-
-  return -2;
-}
-
-int parse_base64(char *in, char *out)
-{
-  char *p = out;
-  int i, val[4];
-
-  while (*in)
-    {
-      for (i = 0; i < 4; i++)
-	{ 
-	  while (*in == ' ') 
-	    in++;
-	  if (*in == 0)
-	    return -1;
-	  if ((val[i] = charval(*in++)) == -2)
-	    return -1;
-	}
-          
-      while (*in == ' ') 
-	in++;
-      
-      if (val[1] == -1)
-	return -1; /* too much padding */
-      
-      *p++ = (val[0] << 2) | (val[1] >> 4);
-      
-      if (val[2] != -1)
-	*p++ = (val[1] << 4) | ( val[2] >> 2);
-
-      if (val[3] != -1)
-	*p++ = (val[2] << 6) | val[3];
-    }
-
-  return p - out;
-}
-#endif
-
 /* return 0 for no match, or (no matched octets) + 1 */
 int memcmp_masked(unsigned char *a, unsigned char *b, int len, unsigned int mask)
 {

trust-anchors.conf

@@ -1,8 +1,9 @@
-# The root DNSSEC trust anchors, valid as at 30/01/2014
+# The root DNSSEC trust anchor, valid as at 30/01/2014
+
+# Note that this is a DS record (ie a hash of the root Zone Signing Key) 
+# If was downloaded from https://data.iana.org/root-anchors/root-anchors.xml
+
+trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
 
 
-dnskey=.,257,8,AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
-dnskey=.,256,8,AwEAAb8sU6pbYMWRbkRnEuEZw9NSir707TkOcF+UL1XiK4NDJOvXRyX1 95Am5dQ7bRnnuySZ3daf37vvjUUhuIWUAQ4stht8nJfYxVQXDYjSpGH5 I6Hf/0CZEoNP6cNvrQ7AFmKkmv00xWExKQjbvnRPI4bqpMwtHVzn6Wyb BZ6kuqED
-dnskey=.,256,8,AwEAAYRU41/8smgAvuSojEP4jaj5Yll7WPaUKpYvnz2pnX2VIvRn4jsy Jns80bloenG6X9ebJVy2CFtZQLKHP8DcKmIFotdgs2HolyocY1am/+33 4RtzusM2ojkhjn1FRGtuSE9s2TSz1ISv0yVnFyu+EP/ZkiWnDfWeVrJI SEWBEr4V
-