recursor: set DO in outgoing queries

when the recursor is "security-aware" -- that is the "dnssec" feature is enabled -- as per RFC 4035 section 3.2.1
2024-04-24 19:27:49 +02:00 · 2024-04-24 19:27:49 +02:00 · cc81d5636e
commit cc81d5636e
parent cffc3fac2a
5 changed files with 12 additions and 4 deletions
--- a/crates/proto/src/xfer/dns_handle.rs
+++ b/crates/proto/src/xfer/dns_handle.rs
@ -85,7 +85,8 @@ fn build_message(query: Query, options: DnsRequestOptions) -> Message {
            .extensions_mut()
            .get_or_insert_with(Edns::new)
            .set_max_payload(MAX_PAYLOAD_LEN)
-            .set_version(0);
+            .set_version(0)
+            .set_dnssec_ok(options.edns_set_dnssec_ok);
    }
    message
 }
--- a/crates/proto/src/xfer/dns_request.rs
+++ b/crates/proto/src/xfer/dns_request.rs
@ -25,6 +25,8 @@ pub struct DnsRequestOptions {
    // TODO: add EDNS options here?
    /// When true, will add EDNS options to the request.
    pub use_edns: bool,
+    /// When true, sets the DO bit in the EDNS options
+    pub edns_set_dnssec_ok: bool,
    /// Specifies maximum request depth for DNSSEC validation.
    pub max_request_depth: usize,
    /// set recursion desired (or not) for any requests
@ -38,6 +40,7 @@ impl Default for DnsRequestOptions {
            max_request_depth: 26,
            expects_multiple_responses: false,
            use_edns: false,
+            edns_set_dnssec_ok: false,
            recursion_desired: true,
        }
    }
--- a/crates/recursor/src/lib.rs
+++ b/crates/recursor/src/lib.rs
@ -35,3 +35,7 @@ pub use hickory_proto as proto;
 pub use hickory_resolver as resolver;
 pub use hickory_resolver::config::NameServerConfig;
 pub use recursor::Recursor;
+
+fn is_security_aware() -> bool {
+    cfg!(feature = "dnssec")
+}
--- a/crates/recursor/src/recursor_pool.rs
+++ b/crates/recursor/src/recursor_pool.rs
@ -90,8 +90,8 @@ where
                info!("querying {} for {}", self.zone, query_cpy);

                let mut options = DnsRequestOptions::default();
-                options.use_edns = false; // TODO: this should be configurable
-                options.recursion_desired = false;
+                options.use_edns = crate::is_security_aware();
+                options.edns_set_dnssec_ok = crate::is_security_aware();

                // convert the lookup into a shared future
                let lookup = ns
--- a/crates/server/Cargo.toml
+++ b/crates/server/Cargo.toml
@ -48,7 +48,7 @@ dnssec-ring = [
    "hickory-proto/dnssec-ring",
    "hickory-resolver/dnssec-ring",
 ]
-dnssec = []
+dnssec = ["hickory-recursor?/dnssec"]
 # Recursive Resolution is Experimental!
 recursor = ["hickory-recursor"]
 resolver = ["hickory-resolver"]