From patchwork Mon Mar 5 04:26:52 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 1684 Return-Path: Received: from mail01.ipfire.org (unknown [172.28.1.200]) by web02.i.ipfire.org (Postfix) with ESMTP id B04C560AF0 for ; Sun, 4 Mar 2018 18:27:02 +0100 (CET) X-Virus-Scanned: ClamAV at mail01.ipfire.org X-Spam-Flag: NO X-Spam-Score: -0.55 X-Spam-Level: X-Spam-Status: No, score=-0.55 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_LOW=-0.7] autolearn=disabled Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 140D1105FC86; Sun, 4 Mar 2018 17:27:01 +0000 (GMT) Authentication-Results: mail01.ipfire.org; dkim=pass (2048-bit key) header.d=link38.eu header.i=@link38.eu header.b="vgEK4Gkg" X-Virus-Scanned: ClamAV at mail01.ipfire.org Received: from mx-nbg.link38.eu (mx-nbg.link38.eu [37.120.167.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx-nbg.link38.eu", Issuer "Let's Encrypt Authority X3" (not verified)) by mail01.ipfire.org (Postfix) with ESMTPS id 4CD33111C4F5 for ; Sun, 4 Mar 2018 17:26:56 +0000 (GMT) Authentication-Results: mail01.ipfire.org; dmarc=pass (p=none dis=none) header.from=link38.eu Authentication-Results: mail01.ipfire.org; spf=pass smtp.mailfrom=peter.mueller@link38.eu X-Virus-Scanned: ClamAV at mx-nbg.link38.eu DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=link38.eu; s=201711; t=1520184412; x=1522776412; bh=uHBrDH5rIVqFfTXWDGDBX7uzR0BDL15qOuI+g4LY/B4=; h=Date:From:To:Subject:Message-ID:Content-Type:From:To:Subject:Date: Cc; b=vgEK4GkgNV0Cvli6KJQ/emrdMXS44bcuNz/tKfIKikQyF17Q8z82WfkBbUfooucCH 3MIfQZAYCiVtAoNmKYYbdUmjIDeWkCj1vcJonUCTDpU+YZc5BPKdMN7QpaMRGcedL4 AbIFIveoWsxSt0rHB+XQBeXE3ozvQEN0Gs6TApjmZmfDKnk4Y0MeJHSISvkVf2msQN h0zMkaxwmdpj9FH6r1II0ZL/9tDz5nVQ69w7GVKdcq7c4cKQW3gA2nsl+8eXZ+pRk/ k2JRbtxMa+dcHrBBURKkKkYPP7yibPFplOj9WewkX6LkjdS5W1ytneERGzznljk0/m /J/A0fw5JaEEw== Date: Sun, 4 Mar 2018 18:26:52 +0100 From: Peter =?utf-8?q?M=C3=BCller?= To: "development@lists.ipfire.org" Subject: [PATCH v2] test if nameservers with DNSSEC support return "ad"-flagged data Message-ID: <20180304182652.067d606e.peter.mueller@link38.eu> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" DNSSEC-validating nameservers return an "ad" (Authenticated Data) flag in the DNS response header. This can be used as a negative indicator for DNSSEC validation: In case a nameserver does not return the flag, but failes to look up a domain with an invalid signature, it does not support DNSSEC validation. This makes it easier to detect nameservers which do not fully comply to the RFCs or try to tamper DNS queries. See bug #11595 (https://bugzilla.ipfire.org/show_bug.cgi?id=11595) for further details. The second version of this patch avoids unnecessary usage of grep. Thanks to Michael Tremer for the hint. Signed-off-by: Peter Müller --- src/initscripts/system/unbound | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound index a46999992..dcb9653ee 100644 --- a/src/initscripts/system/unbound +++ b/src/initscripts/system/unbound @@ -378,7 +378,12 @@ ns_is_validating() { local ns=${1} shift - dig @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL + if ! dig @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL; then + return 1 + else + # Determine if NS replies with "ad" data flag if DNSSEC enabled + dig @${ns} +dnssec SOA ${TEST_DOMAIN} $@ | awk -F: '/\;\;\ flags\:/ { s=1; if (/\ ad/) s=0; exit s }' + fi } # Checks if we can retrieve the DNSKEY for this domain.