recursor: set DO in outgoing queries
when the recursor is "security-aware" -- that is the "dnssec" feature is enabled -- as per RFC 4035 section 3.2.1
This commit is contained in:
parent
cffc3fac2a
commit
cc81d5636e
|
@ -85,7 +85,8 @@ fn build_message(query: Query, options: DnsRequestOptions) -> Message {
|
|||
.extensions_mut()
|
||||
.get_or_insert_with(Edns::new)
|
||||
.set_max_payload(MAX_PAYLOAD_LEN)
|
||||
.set_version(0);
|
||||
.set_version(0)
|
||||
.set_dnssec_ok(options.edns_set_dnssec_ok);
|
||||
}
|
||||
message
|
||||
}
|
||||
|
|
|
@ -25,6 +25,8 @@ pub struct DnsRequestOptions {
|
|||
// TODO: add EDNS options here?
|
||||
/// When true, will add EDNS options to the request.
|
||||
pub use_edns: bool,
|
||||
/// When true, sets the DO bit in the EDNS options
|
||||
pub edns_set_dnssec_ok: bool,
|
||||
/// Specifies maximum request depth for DNSSEC validation.
|
||||
pub max_request_depth: usize,
|
||||
/// set recursion desired (or not) for any requests
|
||||
|
@ -38,6 +40,7 @@ impl Default for DnsRequestOptions {
|
|||
max_request_depth: 26,
|
||||
expects_multiple_responses: false,
|
||||
use_edns: false,
|
||||
edns_set_dnssec_ok: false,
|
||||
recursion_desired: true,
|
||||
}
|
||||
}
|
||||
|
|
|
@ -35,3 +35,7 @@ pub use hickory_proto as proto;
|
|||
pub use hickory_resolver as resolver;
|
||||
pub use hickory_resolver::config::NameServerConfig;
|
||||
pub use recursor::Recursor;
|
||||
|
||||
fn is_security_aware() -> bool {
|
||||
cfg!(feature = "dnssec")
|
||||
}
|
||||
|
|
|
@ -90,8 +90,8 @@ where
|
|||
info!("querying {} for {}", self.zone, query_cpy);
|
||||
|
||||
let mut options = DnsRequestOptions::default();
|
||||
options.use_edns = false; // TODO: this should be configurable
|
||||
options.recursion_desired = false;
|
||||
options.use_edns = crate::is_security_aware();
|
||||
options.edns_set_dnssec_ok = crate::is_security_aware();
|
||||
|
||||
// convert the lookup into a shared future
|
||||
let lookup = ns
|
||||
|
|
|
@ -48,7 +48,7 @@ dnssec-ring = [
|
|||
"hickory-proto/dnssec-ring",
|
||||
"hickory-resolver/dnssec-ring",
|
||||
]
|
||||
dnssec = []
|
||||
dnssec = ["hickory-recursor?/dnssec"]
|
||||
# Recursive Resolution is Experimental!
|
||||
recursor = ["hickory-recursor"]
|
||||
resolver = ["hickory-resolver"]
|
||||
|
|
Loading…
Reference in New Issue
Block a user