dnsx/cacher,dnsx/alg,x64/dns64: skip dnssec

Author: ignoramous

intra/backend/dnsx_listener.go

@@ -43,6 +43,10 @@ type DNSSummary struct {
 	// True if any among upstream transports (primary or secondary) returned blocked ans.
 	// Only valid for A/AAAA queries. Unspecified IPs are considered as "blocked ans".
 	UpstreamBlocks bool
+	// True if DNSSEC OK bit is set.
+	DO bool
+	// True if DNSSEC validation was successful.
+	AD bool
 	// Diag message from Transport, if any. Typically, "no error"
 	Msg string
 	// Region of the Rethink DNS+ server (if used)

intra/dnsx/alg.go

@@ -835,6 +835,9 @@ func (t *dnsgateway) q(t1, t2 Transport, preset []netip.Addr, network, uid strin
 	// the effort of setting up alg/ptr/nat caches which is wasteful in this case.
 	dontalg := usepreset || skipcache || uidself
 	synthAns := usepreset || usefixed
+	hasdnssec := xdns.IsDNSSECRequested(q)
+
+	smm.DO = hasdnssec
 
 	if discarduid {
 		uid = core.UNKNOWN_UID_STR
@@ -888,14 +891,17 @@ func (t *dnsgateway) q(t1, t2 Transport, preset []netip.Addr, network, uid strin
 		if !xdns.HasRcodeSuccess(ansin) {
 			return ansin, err
 		}
-		log.D("alg: err but ans ok: %d; self? %t synth? %t; qerr %v",
-			xdns.Len(ansin), uidself, synthAns, err)
+		log.D("alg: for %s:%s err but ans ok: %d; do? %t, self? %t synth? %t; qerr %v",
+			qname(q), qtype(q), xdns.Len(ansin), hasdnssec, uidself, synthAns, err)
 	}
 
 	if ansin == nil { // may be nil on errors
 		return nil, errNoAnswer // err is nil
 	}
 
+	hasauth64 := false
+	hasauth := xdns.IsDNSSECAnswerAuthenticated(ansin)
+
 	qname := qname(ansin)
 	qtyp := qtype(ansin)
 	smm.QName = qname
@@ -904,14 +910,19 @@ func (t *dnsgateway) q(t1, t2 Transport, preset []netip.Addr, network, uid strin
 	// if usefixed is true, then d64 is no-op, as preset fixed ip does have ipv6
 	ans64 := t.dns64.D64(network, t1.ID().V(), uid, ansin) // ans64 may be nil if no D64 or error
 	if ans64 != nil {
-		log.D("alg: %s<>%s:%s[%s] %d dns64; s/ans(%d)/ans64(%d)",
-			qname, smm.ID, idstr(t1), uid, qtyp, xdns.Len(ansin), xdns.Len(ans64))
+		log.D("alg: %s<>%s:%s[%s] %d dns64; dnssec? %t; s/ans(%d)/ans64(%d)",
+			qname, smm.ID, idstr(t1), uid, qtyp, hasdnssec, xdns.Len(ansin), xdns.Len(ans64))
 		withDNS64Summary(ans64, smm)
 		// todo: for uidself, skip dns64? see: ipmapper.go:undoAlgAndOrNat64
 		// todo: skip for for undelegated domains like ipv4only.arpa?
 		ansin = ans64
+		// false if ans64 is synthesized or nil
+		// or its value matches hasauth
+		hasauth64 = xdns.IsDNSSECAnswerAuthenticated(ans64)
 	} // else: no dns64, or error; continue with ansin
 
+	smm.AD = hasauth && hasauth64 // true if both ansin and ans64 are authenticated
+
 	hasq := xdns.HasAAAAQuestion(ansin) || xdns.HasAQuestion(ansin) ||
 		xdns.HasSVCBQuestion(ansin) || xdns.HasHTTPQuestion(ansin)
 	hasans := xdns.HasAnyAnswer(ansin)
@@ -927,8 +938,8 @@ func (t *dnsgateway) q(t1, t2 Transport, preset []netip.Addr, network, uid strin
 
 	// todo: skip alg for undelegated domains like ipv4only.arpa?
 	if !hasq || !hasans || !rgood || ans0000 || dontalg {
-		log.D("alg: skip; query %s<>%s[%s]:%s:%d / a:%d, self(%t) dontalg(%t) hasq(%t) hasans(%t) rgood(%t), ans0000(%t)",
-			smm.ID, idstr(t1), uid, qname, qtyp, xdns.Len(ansin), uidself, dontalg, hasq, hasans, rgood, ans0000)
+		log.D("alg: skip; query %s<>%s[%s]:%s:%d / a:%d, dnssec(do? %t /ad? %t) self(%t) dontalg(%t) hasq(%t) hasans(%t) rgood(%t), ans0000(%t)",
+			smm.ID, idstr(t1), uid, qname, qtyp, xdns.Len(ansin), smm.DO, smm.AD, uidself, dontalg, hasq, hasans, rgood, ans0000)
 		return ansin, nil
 	}
 
@@ -1044,8 +1055,8 @@ func (t *dnsgateway) q(t1, t2 Transport, preset []netip.Addr, network, uid strin
 		mustsubst = true
 	}
 
-	log.D("alg: %s<>%s[%s]; %s:%d a6(a %d / h %d / s %t) : a4(a %d / h %d / s %t); ttl: %s",
-		smm.ID, idstr(t1), uid, qname, qtyp, len(a6), len(ip6hints), substok6, len(a4), len(ip4hints), substok4, ansttl)
+	log.D("alg: %s<>%s[%s]; %s:%d (do? %t / ad? %t) a6(a %d / h %d / s %t) : a4(a %d / h %d / s %t); ttl: %s",
+		smm.ID, idstr(t1), uid, qname, qtyp, smm.DO, smm.AD, len(a6), len(ip6hints), substok6, len(a4), len(ip4hints), substok4, ansttl)
 	if !substok4 && !substok6 {
 		if mustsubst {
 			err = errAlgCannotSubst
@@ -1084,13 +1095,13 @@ func (t *dnsgateway) q(t1, t2 Transport, preset []netip.Addr, network, uid strin
 	// the answer, whose ID != to t1 (cacher) itself. OTOH, dnsx.Resolver
 	// uses DNSSummary.ID when returning ans to the caller (ex: ipmapper)
 	tidToReg := smm.ID
-	log.D("alg: ok; for %s<>%s[%s]:%s:%d, domains %s real: %s / fix: %s => subst %s | %s; (mod? %t / fix? %t / synth? %t); sec %s; ttl %s",
-		tidToReg, idstr(t1), uid, qname, qtyp, targets, realip, fixedips, algip4, algip6, mod, usefixed, synthAns, secres.ips, ansttl)
+	log.D("alg: ok; for %s<>%s[%s]:%s:%d (do? %t / ad? %t), domains %s real: %s / fix: %s => subst %s | %s; (mod? %t / fix? %t / synth? %t); sec %s; ttl %s",
+		tidToReg, idstr(t1), uid, qname, qtyp, smm.DO, smm.AD, targets, realip, fixedips, algip4, algip6, mod, usefixed, synthAns, secres.ips, ansttl)
 
 	if t.registerLocked(qname, tidToReg, uid, algip4, algip6, realip, ansttl, targets, secres) {
 		// if mod is set, send modified answer
 		if mod {
-			withAlgSummaryIfNeeded(smm, algip4, algip6)
+			withAlgSummary(smm, algip4, algip6)
 			return ansmod, nil
 		} else {
 			return ansin, nil
@@ -1130,7 +1141,7 @@ func withDNS64Summary(ans64 *dns.Msg, s *x.DNSSummary) {
 	}
 }
 
-func withAlgSummaryIfNeeded(s *x.DNSSummary, algips ...netip.Addr) {
+func withAlgSummary(s *x.DNSSummary, algips ...netip.Addr) {
 	if settings.Debug {
 		// convert algips to ipcsv; any algips may be invalid
 		ipcsv := Netip2Csv(algips)
@@ -1147,6 +1158,8 @@ func withAlgSummaryIfNeeded(s *x.DNSSummary, algips ...netip.Addr) {
 			s.Server = prefix + notransport
 		}
 	}
+	// if modified alg ips are being returned, then these are not authentic
+	s.AD = len(algips) > 0
 }
 
 func (t *dnsgateway) registerLocked(q, tid, uid string, algip4, algip6 netip.Addr, realips []netip.Addr, ttl time.Duration, targets []string, secres secans) bool {

intra/dnsx/cacher.go

@@ -58,6 +58,7 @@ var (
 	errBlocked               = errors.New("dns: answer blocked")
 	errHangover              = errors.New("dns: no connectivity")
 	errNilCacheResponse      = errors.New("dns: nil cache response")
+	errCannotUseStaleCache   = errors.New("dns: cannot use stale cache response")
 	errSkipInternalCache     = errors.New("dns: skip internal cache")
 	errCacheResponseMismatch = errors.New("dns: cache response mismatch")
 )
@@ -193,8 +194,12 @@ func mkcachekey(q *dns.Msg) (string, uint8, bool) {
 		return "", 0, false
 	}
 	qtyp := strconv.Itoa(int(xdns.QType(q)))
+	do := "0"
+	if xdns.IsDNSSECRequested(q) {
+		do = "1"
+	}
 
-	return qname + cacheKeySep + qtyp, hash(qname), true
+	return qname + cacheKeySep + qtyp + cacheKeySep + do, hash(qname), true
 }
 
 // scrubCache deletes expired entries from the cache.
@@ -287,11 +292,19 @@ func (cb *cache) put(key string, cc *cres) (ok bool) {
 	// 1. ansttl is 0 for synthesized "block" answers (see xdns.BlockTTL)
 	// 2. for most empty ans (like qtype:65), ansttl is 0
 	ansttl := time.Duration(xdns.RTtl(ans)) * time.Second
-	if ansttl < cb.ttl {
-		ansttl = cb.ttl
-	} else { // bump up a bit longer than the ttl
-		ansttl = ansttl + cb.halflife
+
+	if !xdns.IsDNSSECAnswerAuthenticated(ans) {
+		if ansttl < cb.ttl {
+			ansttl = cb.ttl
+		} else { // bump up a bit longer than the ttl
+			ansttl = ansttl + cb.halflife
+		}
 	}
+
+	if ansttl == 0 {
+		return
+	}
+
 	exp := time.Now().Add(ansttl)
 	v := &cres{ // TODO: copy is not required?
 		ans:    cc.ans.Copy(),
@@ -319,6 +332,11 @@ func asResponse(q *dns.Msg, v *cres, fresh bool) (a *dns.Msg, s *x.DNSSummary, e
 		err = errNilCacheResponse
 		return
 	}
+	if !fresh && xdns.IsDNSSECAnswerAuthenticated(a) {
+		// for stale responses, TTL is modified which violates DNSSEC?
+		err = errCannotUseStaleCache
+		return
+	}
 	aname := qname(a)
 	qname := qname(q)
 	if aname != qname {
@@ -327,7 +345,7 @@ func asResponse(q *dns.Msg, v *cres, fresh bool) (a *dns.Msg, s *x.DNSSummary, e
 		return
 	}
 
-	a.Id = q.Id
+	a.Id = q.Id // OK to change even if dnssec?
 	// dns 0x20 may mangle the question section, so preserve it
 	// github.com/jedisct1/edgedns#correct-support-for-the-dns0x20-extension
 	a.Question = q.Question
@@ -589,6 +607,8 @@ func fillSummary(s *x.DNSSummary, out *x.DNSSummary) {
 
 	if len(s.RData) != 0 {
 		out.RData = s.RData
+		out.AD = s.AD
+		out.DO = s.DO
 	}
 
 	out.Cached = s.Cached

intra/x64/dns64.go

@@ -165,8 +165,9 @@ func (d *dns64) eval(network string, force64 bool, ansin *dns.Msg, r, uid string
 	hasq6 := xdns.HasAAAAQuestion(ansin)
 	hasans6 := xdns.HasAAAAAnswer(ansin)
 	ans00006 := xdns.AQuadAUnspecified(ansin)
+	hasauth := xdns.IsDNSSECAnswerAuthenticated(ansin)
 	// treat as if v6 answer missing if enforcing 6to4
-	if !hasq6 || (hasans6 && !force64) || ans00006 {
+	if !hasq6 || ((hasauth || hasans6) && !force64) || ans00006 {
 		// nb: has-aaaa-answer should cover for cases where
 		// the response is blocked by dnsx.RDNS
 		log.D("dns64: for(%s %s), no-op q(%s), q6(%t), ans6(%t), force64(%t), ans0000(%t)",
@@ -182,9 +183,9 @@ func (d *dns64) eval(network string, force64 bool, ansin *dns.Msg, r, uid string
 				ip64 = d.ip64[dnsx.Local464Resolver]
 			}
 		}
-		log.D("dns64: attempt underlay/local464 resolver [%s@%s] ip64 w len(%d)", r, uid, len(ip64))
+		log.D("dns64: attempt underlay/local464 resolver [%s@%s] ip64 (ad? %t) w len(%d)", r, uid, hasauth, len(ip64))
 	} else {
-		log.V("dns64: for %s, no resolver id(%s[%s]) registered", uid, r, id)
+		log.V("dns64: for %s, no resolver id(%s[%s]) registered (ad? %t)", uid, r, id, hasauth)
 	}
 
 	ans4, err := d.query64(network, ansin, r, uid)

intra/xdns/common.go

@@ -137,8 +137,9 @@ func Net2ProxyID(network string) (proto string, pids []string) {
 	return
 }
 
+// Bust cache as needed and if ans is not authenticated.
 func BustAndroidCacheIfNeeded(ans *dns.Msg) bool {
-	if BustDnsproxydResNetCache {
+	if BustDnsproxydResNetCache && !IsDNSSECAnswerAuthenticated(ans) {
 		// TODO: skip negative records (SOA, NXDOMAIN, etc)
 		return WithTtl(ans, ZeroTTL, dns.TypeA, dns.TypeAAAA)
 	}