From patchwork Sun Jan 21 02:25:09 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 1622 Return-Path: Received: from mail01.ipfire.org (unknown [172.28.1.200]) by web02.ipfire.org (Postfix) with ESMTP id 777DF60329 for ; Sat, 20 Jan 2018 16:25:20 +0100 (CET) Received: from mail01.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id F39AC4555; Sat, 20 Jan 2018 16:25:19 +0100 (CET) Received: from mx.link38.eu (mx.link38.eu [IPv6:2a03:4000:17:39a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx.link38.eu", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id A81544552 for ; Sat, 20 Jan 2018 16:25:16 +0100 (CET) X-Virus-Scanned: ClamAV at mx.link38.eu Received: from mx-fra.brokers.link38.eu (mx-fra.brokers.link38.eu [10.141.75.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.link38.eu (Postfix) with ESMTPS id D129B40127 for ; Sat, 20 Jan 2018 16:25:10 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx-fra.brokers.link38.eu (Postfix) with ESMTPSA id 500D69F3A8 for ; Sat, 20 Jan 2018 16:25:10 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=link38.eu; s=201711; t=1516461910; x=1579533910; bh=IJF0d5ZScxpWEr5rlhmgLlrThKKC/q29k4z2hm8eNgA=; h=Date:From:To:Subject:Message-ID:Content-Type:From:To:Subject:Date: Cc; b=Dpx2AsRrmJzr2M09SmcLBXZ0sZUxrHUf+FWjwdTOykuqlAb2rv0xZdwkndiTUTfQZ eqCWmqT7P5lg8lTPi8Urx1SFzVtj5X9gL+0hT7xawoa+7NR1d59OtYcZtxZn1B4+DG FiKBOVfHU0mGwTt9mmiTAza6T+3xRlCfAkgBS8ifl5fcJhD2z6sgYE1u28B/0HXjrw BqBE8wmW2pecwS/xrM703D3VMLq6VlLnX4+Mp9Lnps5vXX9rKwY3KwVUTmXc5DKVfa L/tbyDGgBL+b/E6npZYkd0SYagrRbMVIhJVQjQKHWEkRO5pjO7EaUIYuvMg4hMPqdI p5g9/xO/S0XAQ== Date: Sat, 20 Jan 2018 16:25:09 +0100 From: Peter =?utf-8?q?M=C3=BCller?= To: "development@lists.ipfire.org" Subject: [PATCH] test if nameservers with DNSSEC support return "ad"-flagged data Message-ID: <20180120162509.7b128413.peter.mueller@link38.eu> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" DNSSEC-validating nameservers return an "ad" (Authenticated Data) flag in the DNS response header. This can be used as a negative indicator for DNSSEC validation: In case a nameserver does not return the flag, but failes to look up a domain with an invalid signature, it does not support DNSSEC validation. This makes it easier to detect nameservers which do not fully comply to the RFCs or try to tamper DNS queries. See bug #11595 (https://bugzilla.ipfire.org/show_bug.cgi?id=11595) for further details. Signed-off-by: Peter Müller --- src/initscripts/system/unbound | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound index 4e7e63e5f..410631f86 100644 --- a/src/initscripts/system/unbound +++ b/src/initscripts/system/unbound @@ -364,7 +364,12 @@ ns_is_validating() { local ns=${1} shift - dig @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL + if ! dig @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL; then + return 1 + else + # Determine if NS replies with "ad" data flag if DNSSEC enabled + dig @${ns} +dnssec SOA ${TEST_DOMAIN} $@ | grep "\;\;\ flags:" | awk -F\: '{ print $2 }' | awk -F\; '{ print $1 }' | grep -q "\ ad" + fi } # Checks if we can retrieve the DNSKEY for this domain.