1 Description: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
2 This allows SSHFP DNS records to be verified if glibc 2.11 is installed.
3 Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup
4 Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
5 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
6 Last-Update: 2010-04-06
9 ===================================================================
16 + unsigned int rrset_flags = 0;
17 struct rrsetinfo *fingerprints = NULL;
19 u_int8_t hostkey_algorithm;
25 + * Original getrrsetbyname function, found on OpenBSD for example,
26 + * doesn't accept any flag and prerequisite for obtaining AD bit in
27 + * DNS response is set by "options edns0" in resolv.conf.
29 + * Our version is more clever and use RRSET_FORCE_EDNS0 flag.
31 +#ifndef HAVE_GETRRSETBYNAME
32 + rrset_flags |= RRSET_FORCE_EDNS0;
34 result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
35 - DNS_RDATATYPE_SSHFP, 0, &fingerprints);
36 + DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints);
39 verbose("DNS lookup error: %s", dns_result_totext(result));
41 Index: b/openbsd-compat/getrrsetbyname.c
42 ===================================================================
43 --- a/openbsd-compat/getrrsetbyname.c
44 +++ b/openbsd-compat/getrrsetbyname.c
49 - /* don't allow flags yet, unimplemented */
51 + /* Allow RRSET_FORCE_EDNS0 flag only. */
52 + if ((flags & !RRSET_FORCE_EDNS0) != 0) {
53 result = ERRSET_INVAL;
60 - /* turn on DNSSEC if EDNS0 is configured */
61 - if (_resp->options & RES_USE_EDNS0)
62 - _resp->options |= RES_USE_DNSSEC;
63 + /* turn on DNSSEC if required */
64 + if (flags & RRSET_FORCE_EDNS0)
65 + _resp->options |= (RES_USE_EDNS0|RES_USE_DNSSEC);
66 #endif /* RES_USE_DNSEC */
69 Index: b/openbsd-compat/getrrsetbyname.h
70 ===================================================================
71 --- a/openbsd-compat/getrrsetbyname.h
72 +++ b/openbsd-compat/getrrsetbyname.h
74 #ifndef RRSET_VALIDATED
75 # define RRSET_VALIDATED 1
77 +#ifndef RRSET_FORCE_EDNS0
78 +# define RRSET_FORCE_EDNS0 0x0001
82 * Return codes for getrrsetbyname()