Software / code / prosody
Diff
net/resolvers/basic.lua @ 12601:72f7bb3f30d3
net.resolvers.basic: Add opt-out argument for DNSSEC security status
This makes explicit which lookups can accept an unsigned response.
Insecure (unsigned, as before DNSSEC) A and AAAA records can be used as
security would come from TLS, but an insecure TLSA record is worthless.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Tue, 02 Aug 2022 16:08:43 +0200 |
| parent | 12413:e155f4509954 |
| child | 12815:2d134201dc55 |
line wrap: on
line diff
--- a/net/resolvers/basic.lua Fri Jul 29 17:10:31 2022 +0200 +++ b/net/resolvers/basic.lua Tue Aug 02 16:08:43 2022 +0200 @@ -10,7 +10,7 @@ -- FIXME RFC 6724 -local function do_dns_lookup(self, dns_resolver, record_type, name) +local function do_dns_lookup(self, dns_resolver, record_type, name, allow_insecure) return promise.new(function (resolve, reject) local ipv = (record_type == "A" and "4") or (record_type == "AAAA" and "6") or nil; if ipv and self.extra["use_ipv"..ipv] == false then @@ -23,6 +23,8 @@ return reject(err); elseif answer.bogus then return reject(("Validation error in %s lookup"):format(record_type)); + elseif not (answer.secure or allow_insecure) then + return reject(("Insecure response in %s lookup"):format(record_type)); elseif answer.status and #answer == 0 then return reject(("%s in %s lookup"):format(answer.status, record_type)); end @@ -78,8 +80,8 @@ local dns_resolver = adns.resolver(); local dns_lookups = { - ipv4 = do_dns_lookup(self, dns_resolver, "A", self.hostname); - ipv6 = do_dns_lookup(self, dns_resolver, "AAAA", self.hostname); + ipv4 = do_dns_lookup(self, dns_resolver, "A", self.hostname, true); + ipv6 = do_dns_lookup(self, dns_resolver, "AAAA", self.hostname, true); tlsa = do_dns_lookup(self, dns_resolver, "TLSA", ("_%d._%s.%s"):format(self.port, self.conn_type, self.hostname)); };
