prosody
72f7bb3f30d3
net/resolvers/basic.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Comparison

net/resolvers/basic.lua @ 12601:72f7bb3f30d3

net.resolvers.basic: Add opt-out argument for DNSSEC security status This makes explicit which lookups can accept an unsigned response. Insecure (unsigned, as before DNSSEC) A and AAAA records can be used as security would come from TLS, but an insecure TLSA record is worthless.
author Kim Alvefur <zash@zash.se>
date Tue, 02 Aug 2022 16:08:43 +0200
parent 12413:e155f4509954
child 12815:2d134201dc55
comparison
equal deleted inserted replaced
12600:3d3a0c4e2662 12601:72f7bb3f30d3
8 local methods = {}; 8 local methods = {};
9 local resolver_mt = { __index = methods }; 9 local resolver_mt = { __index = methods };
10 10
11 -- FIXME RFC 6724 11 -- FIXME RFC 6724
12 12
13 local function do_dns_lookup(self, dns_resolver, record_type, name) 13 local function do_dns_lookup(self, dns_resolver, record_type, name, allow_insecure)
14 return promise.new(function (resolve, reject) 14 return promise.new(function (resolve, reject)
15 local ipv = (record_type == "A" and "4") or (record_type == "AAAA" and "6") or nil; 15 local ipv = (record_type == "A" and "4") or (record_type == "AAAA" and "6") or nil;
16 if ipv and self.extra["use_ipv"..ipv] == false then 16 if ipv and self.extra["use_ipv"..ipv] == false then
17 return reject(("IPv%s disabled - %s lookup skipped"):format(ipv, record_type)); 17 return reject(("IPv%s disabled - %s lookup skipped"):format(ipv, record_type));
18 elseif record_type == "TLSA" and self.extra.use_dane ~= true then 18 elseif record_type == "TLSA" and self.extra.use_dane ~= true then
21 dns_resolver:lookup(function (answer, err) 21 dns_resolver:lookup(function (answer, err)
22 if not answer then 22 if not answer then
23 return reject(err); 23 return reject(err);
24 elseif answer.bogus then 24 elseif answer.bogus then
25 return reject(("Validation error in %s lookup"):format(record_type)); 25 return reject(("Validation error in %s lookup"):format(record_type));
26 elseif not (answer.secure or allow_insecure) then
27 return reject(("Insecure response in %s lookup"):format(record_type));
26 elseif answer.status and #answer == 0 then 28 elseif answer.status and #answer == 0 then
27 return reject(("%s in %s lookup"):format(answer.status, record_type)); 29 return reject(("%s in %s lookup"):format(answer.status, record_type));
28 end 30 end
29 31
30 local targets = { secure = answer.secure }; 32 local targets = { secure = answer.secure };
76 78
77 -- Resolve DNS to target list 79 -- Resolve DNS to target list
78 local dns_resolver = adns.resolver(); 80 local dns_resolver = adns.resolver();
79 81
80 local dns_lookups = { 82 local dns_lookups = {
81 ipv4 = do_dns_lookup(self, dns_resolver, "A", self.hostname); 83 ipv4 = do_dns_lookup(self, dns_resolver, "A", self.hostname, true);
82 ipv6 = do_dns_lookup(self, dns_resolver, "AAAA", self.hostname); 84 ipv6 = do_dns_lookup(self, dns_resolver, "AAAA", self.hostname, true);
83 tlsa = do_dns_lookup(self, dns_resolver, "TLSA", ("_%d._%s.%s"):format(self.port, self.conn_type, self.hostname)); 85 tlsa = do_dns_lookup(self, dns_resolver, "TLSA", ("_%d._%s.%s"):format(self.port, self.conn_type, self.hostname));
84 }; 86 };
85 87
86 promise.all_settled(dns_lookups):next(function (dns_results) 88 promise.all_settled(dns_lookups):next(function (dns_results)
87 -- Combine targets, assign to self.targets, self:next(cb) 89 -- Combine targets, assign to self.targets, self:next(cb)