- feature, ignore-cd-flag: yesno to provide dnssec to legacy servers.

git-svn-id: file:///svn/unbound/trunk@2414 be551aaa-1e26-0410-a405-d3ace91eadb9

daemon/worker.c

@@ -446,7 +446,8 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,
 	uint16_t udpsize = edns->udp_size;
 	int secure = 0;
 	uint32_t timenow = *worker->env.now;
-	int must_validate = !(flags&BIT_CD) && worker->env.need_to_validate;
+	int must_validate = (!(flags&BIT_CD) || worker->env.cfg->ignore_cd)
+		&& worker->env.need_to_validate;
 	struct dns_msg *msg = NULL;
 	struct delegpt *dp;
 
@@ -522,7 +523,8 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
 	uint32_t timenow = *worker->env.now;
 	uint16_t udpsize = edns->udp_size;
 	int secure;
-	int must_validate = !(flags&BIT_CD) && worker->env.need_to_validate;
+	int must_validate = (!(flags&BIT_CD) || worker->env.cfg->ignore_cd)
+		&& worker->env.need_to_validate;
 	/* see if it is possible */
 	if(rep->ttl < timenow) {
 		/* the rrsets may have been updated in the meantime.

doc/Changelog

@@ -1,6 +1,7 @@
 10 May 2011: Wouter
 	- bug#386: --enable-allsymbols option links all binaries to libunbound
 	  and reduces install size significantly.
+	- feature, ignore-cd-flag: yesno to provide dnssec to legacy servers.
 
 14 April 2011: Wouter
 	- configure created with newer autoconf 2.66.

doc/example.conf.in

@@ -378,6 +378,11 @@ server:
 	# replies if the message is found secure. The default is off.
 	# val-permissive-mode: no
 
+	# Ignore the CD flag in incoming queries and refuse them bogus data.
+	# Enable it if the only clients of unbound are legacy servers (w2008)
+	# that set CD but cannot validate themselves.
+	# ignore-cd-flag: no
+
 	# Have the validator log failed validations for your diagnosis.
 	# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
 	# val-log-level: 0

doc/unbound.conf.5.in

@@ -657,6 +657,14 @@ receives the bogus data. For messages that are found to be secure the AD bit
 is set in replies. Also logging is performed as for full validation.
 The default value is "no". 
 .TP
+.B ignore\-cd\-flag: \fI<yes or no>
+Instruct unbound to ignore the CD flag from clients and refuse to
+return bogus answers to them.  Thus, the CD (Checking Disabled) flag
+does not disable checking any more.  This is useful if legacy (w2008)
+servers that set the CD flag but cannot validate DNSSEC themselves are
+the clients, and then unbound provides them with DNSSEC protection.
+The default value is "no".
+.TP
 .B val\-nsec3\-keysize\-iterations: \fI<"list of values">
 List of keysize and iteration count values, separated by spaces, surrounded
 by quotes. Default is "1024 150 2048 500 4096 2500". This determines the

services/mesh.c

@@ -772,7 +772,8 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
 	struct timeval duration;
 	int secure;
 	/* examine security status */
-	if(m->s.env->need_to_validate && !(r->qflags&BIT_CD) && rep && 
+	if(m->s.env->need_to_validate && (!(r->qflags&BIT_CD) ||
+		m->s.env->cfg->ignore_cd) && rep && 
 		rep->security <= sec_status_bogus) {
 		rcode = LDNS_RCODE_SERVFAIL;
 		if(m->s.env->cfg->stat_extended) 

util/config_file.c

@@ -177,6 +177,7 @@ config_create(void)
 	cfg->val_log_level = 0;
 	cfg->val_log_squelch = 0;
 	cfg->val_permissive_mode = 0;
+	cfg->ignore_cd = 0;
 	cfg->add_holddown = 30*24*3600;
 	cfg->del_holddown = 30*24*3600;
 	cfg->keep_missing = 366*24*3600; /* one year plus a little leeway */
@@ -382,6 +383,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_NUMBER_OR_ZERO("val-log-level:", val_log_level)
 	else S_YNO("val-log-squelch:", val_log_squelch)
 	else S_YNO("val-permissive-mode:", val_permissive_mode)
+	else S_YNO("ignore-cd-flag:", ignore_cd)
 	else S_STR("val-nsec3-keysize-iterations:", val_nsec3_key_iterations)
 	else S_UNSIGNED_OR_ZERO("add-holddown:", add_holddown)
 	else S_UNSIGNED_OR_ZERO("del-holddown:", del_holddown)
@@ -599,6 +601,7 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_YNO(opt, "val-clean-additional", val_clean_additional)
 	else O_DEC(opt, "val-log-level", val_log_level)
 	else O_YNO(opt, "val-permissive-mode", val_permissive_mode)
+	else O_YNO(opt, "ignore-cd-flag", ignore_cd)
 	else O_STR(opt, "val-nsec3-keysize-iterations",val_nsec3_key_iterations)
 	else O_UNS(opt, "add-holddown", add_holddown)
 	else O_UNS(opt, "del-holddown", del_holddown)

util/config_file.h

@@ -236,6 +236,8 @@ struct config_file {
 	int val_log_squelch;
 	/** should validator allow bogus messages to go through */
 	int val_permissive_mode;
+	/** ignore the CD flag in incoming queries and refuse them bogus data */
+	int ignore_cd;
 	/** nsec3 maximum iterations per key size, string */
 	char* val_nsec3_key_iterations;
 	/** autotrust add holddown time, in seconds */

util/configlexer.lex

@@ -204,6 +204,7 @@ val-sig-skew-max{COLON}		{ YDVAR(1, VAR_VAL_SIG_SKEW_MAX) }
 val-bogus-ttl{COLON}		{ YDVAR(1, VAR_BOGUS_TTL) }
 val-clean-additional{COLON}	{ YDVAR(1, VAR_VAL_CLEAN_ADDITIONAL) }
 val-permissive-mode{COLON}	{ YDVAR(1, VAR_VAL_PERMISSIVE_MODE) }
+ignore-cd-flag{COLON}		{ YDVAR(1, VAR_IGNORE_CD_FLAG) }
 val-log-level{COLON}		{ YDVAR(1, VAR_VAL_LOG_LEVEL) }
 key-cache-size{COLON}		{ YDVAR(1, VAR_KEY_CACHE_SIZE) }
 key-cache-slabs{COLON}		{ YDVAR(1, VAR_KEY_CACHE_SLABS) }

util/configparser.h

@@ -1,10 +1,9 @@
-
+/* A Bison parser, made by GNU Bison 2.4.3.  */
-/* A Bison parser, made by GNU Bison 2.4.1.  */
 
 /* Skeleton interface for Bison's Yacc-like parsers in C
    
-      Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004, 2005, 2006
+      Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004, 2005, 2006,
-   Free Software Foundation, Inc.
+   2009, 2010 Free Software Foundation, Inc.
    
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -154,7 +153,8 @@
      VAR_PREFETCH = 370,
      VAR_PREFETCH_KEY = 371,
      VAR_SO_SNDBUF = 372,
-     VAR_HARDEN_BELOW_NXDOMAIN = 373
+     VAR_HARDEN_BELOW_NXDOMAIN = 373,
+     VAR_IGNORE_CD_FLAG = 374
    };
 #endif
 /* Tokens.  */
@@ -274,6 +274,7 @@
 #define VAR_PREFETCH_KEY 371
 #define VAR_SO_SNDBUF 372
 #define VAR_HARDEN_BELOW_NXDOMAIN 373
+#define VAR_IGNORE_CD_FLAG 374
 
 
 
@@ -282,15 +283,15 @@
 typedef union YYSTYPE
 {
 
-/* Line 1676 of yacc.c  */
+/* Line 1685 of yacc.c  */
 #line 64 "util/configparser.y"
 
 	char*	str;
 
 
 
-/* Line 1676 of yacc.c  */
+/* Line 1685 of yacc.c  */
-#line 294 "util/configparser.h"
+#line 295 "util/configparser.h"
 } YYSTYPE;
 # define YYSTYPE_IS_TRIVIAL 1
 # define yystype YYSTYPE /* obsolescent; will be withdrawn */

util/configparser.y

@@ -102,6 +102,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_AUTO_TRUST_ANCHOR_FILE VAR_KEEP_MISSING VAR_ADD_HOLDDOWN 
 %token VAR_DEL_HOLDDOWN VAR_SO_RCVBUF VAR_EDNS_BUFFER_SIZE VAR_PREFETCH
 %token VAR_PREFETCH_KEY VAR_SO_SNDBUF VAR_HARDEN_BELOW_NXDOMAIN
+%token VAR_IGNORE_CD_FLAG
 
 %%
 toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@@ -155,7 +156,7 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_auto_trust_anchor_file | server_add_holddown | 
 	server_del_holddown | server_keep_missing | server_so_rcvbuf |
 	server_edns_buffer_size | server_prefetch | server_prefetch_key |
-	server_so_sndbuf | server_harden_below_nxdomain
+	server_so_sndbuf | server_harden_below_nxdomain | server_ignore_cd_flag
 	;
 stubstart: VAR_STUB_ZONE
 	{
@@ -918,6 +919,15 @@ server_val_permissive_mode: VAR_VAL_PERMISSIVE_MODE STRING_ARG
 		free($2);
 	}
 	;
+server_ignore_cd_flag: VAR_IGNORE_CD_FLAG STRING_ARG
+	{
+		OUTYY(("P(server_ignore_cd_flag:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->ignore_cd = (strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
 server_val_log_level: VAR_VAL_LOG_LEVEL STRING_ARG
 	{
 		OUTYY(("P(server_val_log_level:%s)\n", $2));