Software / code / prosody
Changeset
12601:72f7bb3f30d3
net.resolvers.basic: Add opt-out argument for DNSSEC security status
This makes explicit which lookups can accept an unsigned response.
Insecure (unsigned, as before DNSSEC) A and AAAA records can be used as
security would come from TLS, but an insecure TLSA record is worthless.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Tue, 02 Aug 2022 16:08:43 +0200 |
| parents | 12600:3d3a0c4e2662 |
| children | 12602:9184fe3d489a |
| files | net/resolvers/basic.lua |
| diffstat | 1 files changed, 5 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/net/resolvers/basic.lua Fri Jul 29 17:10:31 2022 +0200 +++ b/net/resolvers/basic.lua Tue Aug 02 16:08:43 2022 +0200 @@ -10,7 +10,7 @@ -- FIXME RFC 6724 -local function do_dns_lookup(self, dns_resolver, record_type, name) +local function do_dns_lookup(self, dns_resolver, record_type, name, allow_insecure) return promise.new(function (resolve, reject) local ipv = (record_type == "A" and "4") or (record_type == "AAAA" and "6") or nil; if ipv and self.extra["use_ipv"..ipv] == false then @@ -23,6 +23,8 @@ return reject(err); elseif answer.bogus then return reject(("Validation error in %s lookup"):format(record_type)); + elseif not (answer.secure or allow_insecure) then + return reject(("Insecure response in %s lookup"):format(record_type)); elseif answer.status and #answer == 0 then return reject(("%s in %s lookup"):format(answer.status, record_type)); end @@ -78,8 +80,8 @@ local dns_resolver = adns.resolver(); local dns_lookups = { - ipv4 = do_dns_lookup(self, dns_resolver, "A", self.hostname); - ipv6 = do_dns_lookup(self, dns_resolver, "AAAA", self.hostname); + ipv4 = do_dns_lookup(self, dns_resolver, "A", self.hostname, true); + ipv6 = do_dns_lookup(self, dns_resolver, "AAAA", self.hostname, true); tlsa = do_dns_lookup(self, dns_resolver, "TLSA", ("_%d._%s.%s"):format(self.port, self.conn_type, self.hostname)); };
