aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKim Alvefur <zash@zash.se>2022-08-02 16:08:43 +0200
committerKim Alvefur <zash@zash.se>2022-08-02 16:08:43 +0200
commit79f4868b63ff6385bbc2290ba31361bcb7ce63b5 (patch)
tree664455f647704b3ea46012dfa1186544be577e81
parent9a375e444474e1e6a97ae57f393f639cfa813846 (diff)
downloadprosody-79f4868b63ff6385bbc2290ba31361bcb7ce63b5.tar.gz
prosody-79f4868b63ff6385bbc2290ba31361bcb7ce63b5.zip
net.resolvers.basic: Add opt-out argument for DNSSEC security status
This makes explicit which lookups can accept an unsigned response. Insecure (unsigned, as before DNSSEC) A and AAAA records can be used as security would come from TLS, but an insecure TLSA record is worthless.
-rw-r--r--net/resolvers/basic.lua8
1 files changed, 5 insertions, 3 deletions
diff --git a/net/resolvers/basic.lua b/net/resolvers/basic.lua
index 15338ff4..e58165ba 100644
--- a/net/resolvers/basic.lua
+++ b/net/resolvers/basic.lua
@@ -10,7 +10,7 @@ local resolver_mt = { __index = methods };
-- FIXME RFC 6724
-local function do_dns_lookup(self, dns_resolver, record_type, name)
+local function do_dns_lookup(self, dns_resolver, record_type, name, allow_insecure)
return promise.new(function (resolve, reject)
local ipv = (record_type == "A" and "4") or (record_type == "AAAA" and "6") or nil;
if ipv and self.extra["use_ipv"..ipv] == false then
@@ -23,6 +23,8 @@ local function do_dns_lookup(self, dns_resolver, record_type, name)
return reject(err);
elseif answer.bogus then
return reject(("Validation error in %s lookup"):format(record_type));
+ elseif not (answer.secure or allow_insecure) then
+ return reject(("Insecure response in %s lookup"):format(record_type));
elseif answer.status and #answer == 0 then
return reject(("%s in %s lookup"):format(answer.status, record_type));
end
@@ -78,8 +80,8 @@ function methods:next(cb)
local dns_resolver = adns.resolver();
local dns_lookups = {
- ipv4 = do_dns_lookup(self, dns_resolver, "A", self.hostname);
- ipv6 = do_dns_lookup(self, dns_resolver, "AAAA", self.hostname);
+ ipv4 = do_dns_lookup(self, dns_resolver, "A", self.hostname, true);
+ ipv6 = do_dns_lookup(self, dns_resolver, "AAAA", self.hostname, true);
tlsa = do_dns_lookup(self, dns_resolver, "TLSA", ("_%d._%s.%s"):format(self.port, self.conn_type, self.hostname));
};