To find the DS record for a given zone the parent zone's nameserver must
be queried and not the nameserver for the zone. Otherwise DNSSEC
verification for unsigned delegations breaks.
Signed-off-by: Uwe Kleine-König <uwe+open...@kleine-koenig.org>
---
Hello,
this patch fixes DNSSEC verification when dnsmasq serves an (unsigned)
zone under a signed parent zone.
It makes the difference between:
$ delv ares.kk2.kleine-koenig.org
;; no valid RRSIG resolving 'kk2.kleine-koenig.org/DS/IN': 127.0.0.53#53
;; broken trust chain resolving 'ares.kk2.kleine-koenig.org/A/IN':
127.0.0.53#53
;; resolution failed: broken trust chain
(previous behaviour) and
$ delv ares.kk2.kleine-koenig.org
; unsigned answer
ares.kk2.kleine-koenig.org. 600 IN A 192.168.137.18
(new behaviour).
This patch fits on the openwrt-24.10 branch and also on top of main.
(However main has a patch to dnsmasq and I'm unsure how to handle
bumping PKG_RELEASE there.)
This patch is contained in dnsmasq v2.91test8 which I expect to lead to
v2.91 soon, but not before the expected release of OpenWrt 24.10. So I'm
forwarding this patch. Note that Simon Kelly found a few more fixes that
are in upstream git and the most recent release is v2.91test9. But this
patch is enought to fix operation for me.
This is a followup to my patch that updates dnsmasq to 2.91test8 which
hauke in irc indicated was not ok to go into 24.10.
Thanks for considering it for inclusion in openwrt-24.10.
Best regards
Uwe
package/network/services/dnsmasq/Makefile | 2 +-
...0003-Handle-DS-queries-to-auth-zones.patch | 100 ++++++++++++++++++
2 files changed, 101 insertions(+), 1 deletion(-)
create mode 100644
package/network/services/dnsmasq/patches/0003-Handle-DS-queries-to-auth-zones.patch
diff --git a/package/network/services/dnsmasq/Makefile
b/package/network/services/dnsmasq/Makefile
index 0a597c03ce40..47a5ae54ae7f 100644
--- a/package/network/services/dnsmasq/Makefile
+++ b/package/network/services/dnsmasq/Makefile
@@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=dnsmasq
PKG_UPSTREAM_VERSION:=2.90
PKG_VERSION:=$(subst test,~~test,$(subst rc,~rc,$(PKG_UPSTREAM_VERSION)))
-PKG_RELEASE:=3
+PKG_RELEASE:=4
PKG_SOURCE:=$(PKG_NAME)-$(PKG_UPSTREAM_VERSION).tar.xz
PKG_SOURCE_URL:=https://thekelleys.org.uk/dnsmasq/
diff --git
a/package/network/services/dnsmasq/patches/0003-Handle-DS-queries-to-auth-zones.patch
b/package/network/services/dnsmasq/patches/0003-Handle-DS-queries-to-auth-zones.patch
new file mode 100644
index 000000000000..c4c8744e23a7
--- /dev/null
+++
b/package/network/services/dnsmasq/patches/0003-Handle-DS-queries-to-auth-zones.patch
@@ -0,0 +1,100 @@
+From 8ce27433f8b2e17c557cb55e4f16941d309deeac Mon Sep 17 00:00:00 2001
+From: Simon Kelley <si...@thekelleys.org.uk>
+Date: Fri, 17 Jan 2025 17:49:29 +0000
+Subject: [PATCH] Handle DS queries to auth zones.
+Origin: upstream, v2.91test8
+
+When dnsmasq is configured to act as an authoritative server and has
+an authoritative zone configured, and recieves a query for
+that zone _as_forwarder_ it answers the query directly rather
+than forwarding it. This doesn't affect the answer, but it
+saves dnsmasq forwarding the query to the recusor upstream,
+whch then bounces it back to dnsmasq in auth mode. The
+exception should be when the query is for the root of zone, for a DS
+RR. The answer to that has to come from the parent, via the
+recursor, and will typically be a proof-of-nonexistence since
+dnsmasq doesn't support signed zones. This patch suppresses
+local answers and forces forwarding to the upstream recursor
+for such queries. It stops breakage when a DNSSEC validating
+client makes queries to dnsmasq acting as forwarder for a zone
+for which it is authoritative.
+
+[ukleinek: drop changes to CHANGELOG to prevent conflicts]
+---
+ src/forward.c | 52 +++++++++++++++++++++++++++++++++++++--------------
+ 1 file changed, 38 insertions(+), 14 deletions(-)
+
+diff --git a/src/forward.c b/src/forward.c
+index 32f37e4054ba..a197594386dd 100644
+--- a/src/forward.c
++++ b/src/forward.c
+@@ -1744,15 +1744,27 @@ void receive_query(struct listener *listen, time_t now)
+ #endif
+
+ #ifdef HAVE_AUTH
+- /* find queries for zones we're authoritative for, and answer them
directly */
++ /* Find queries for zones we're authoritative for, and answer them
directly.
++ The exception to this is DS queries for the zone route. They
++ have to come from the parent zone. Since dnsmasq's auth server
++ can't do DNSSEC, the zone will be unsigned, and anything using
++ dnsmasq as a forwarder and doing validation will be expecting to
++ see the proof of non-existence from the parent. */
+ if (!auth_dns && !option_bool(OPT_LOCALISE))
+ for (zone = daemon->auth_zones; zone; zone = zone->next)
+- if (in_zone(zone, daemon->namebuff, NULL))
+- {
+- auth_dns = 1;
+- local_auth = 1;
+- break;
+- }
++ {
++ char *cut;
++
++ if (in_zone(zone, daemon->namebuff, &cut))
++ {
++ if (type != T_DS || cut)
++ {
++ auth_dns = 1;
++ local_auth = 1;
++ }
++ break;
++ }
++ }
+ #endif
+
+ #ifdef HAVE_LOOP
+@@ -2268,15 +2280,27 @@ unsigned char *tcp_request(int confd, time_t now,
+ &peer_addr, auth_dns ? "auth" : "query",
qtype);
+
+ #ifdef HAVE_AUTH
+- /* find queries for zones we're authoritative for, and answer
them directly */
++ /* Find queries for zones we're authoritative for, and answer
them directly.
++ The exception to this is DS queries for the zone route. They
++ have to come from the parent zone. Since dnsmasq's auth server
++ can't do DNSSEC, the zone will be unsigned, and anything using
++ dnsmasq as a forwarder and doing validation will be expecting
to
++ see the proof of non-existence from the parent. */
+ if (!auth_dns && !option_bool(OPT_LOCALISE))
+ for (zone = daemon->auth_zones; zone; zone = zone->next)
+- if (in_zone(zone, daemon->namebuff, NULL))
+- {
+- auth_dns = 1;
+- local_auth = 1;
+- break;
+- }
++ {
++ char *cut;
++
++ if (in_zone(zone, daemon->namebuff, &cut))
++ {
++ if (qtype != T_DS || cut)
++ {
++ auth_dns = 1;
++ local_auth = 1;
++ }
++ break;
++ }
++ }
+ #endif
+ }
+ }
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
