From 79f4868b63ff6385bbc2290ba31361bcb7ce63b5 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Tue, 2 Aug 2022 16:08:43 +0200 Subject: net.resolvers.basic: Add opt-out argument for DNSSEC security status This makes explicit which lookups can accept an unsigned response. Insecure (unsigned, as before DNSSEC) A and AAAA records can be used as security would come from TLS, but an insecure TLSA record is worthless. --- net/resolvers/basic.lua | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'net') diff --git a/net/resolvers/basic.lua b/net/resolvers/basic.lua index 15338ff4..e58165ba 100644 --- a/net/resolvers/basic.lua +++ b/net/resolvers/basic.lua @@ -10,7 +10,7 @@ local resolver_mt = { __index = methods }; -- FIXME RFC 6724 -local function do_dns_lookup(self, dns_resolver, record_type, name) +local function do_dns_lookup(self, dns_resolver, record_type, name, allow_insecure) return promise.new(function (resolve, reject) local ipv = (record_type == "A" and "4") or (record_type == "AAAA" and "6") or nil; if ipv and self.extra["use_ipv"..ipv] == false then @@ -23,6 +23,8 @@ local function do_dns_lookup(self, dns_resolver, record_type, name) return reject(err); elseif answer.bogus then return reject(("Validation error in %s lookup"):format(record_type)); + elseif not (answer.secure or allow_insecure) then + return reject(("Insecure response in %s lookup"):format(record_type)); elseif answer.status and #answer == 0 then return reject(("%s in %s lookup"):format(answer.status, record_type)); end @@ -78,8 +80,8 @@ function methods:next(cb) local dns_resolver = adns.resolver(); local dns_lookups = { - ipv4 = do_dns_lookup(self, dns_resolver, "A", self.hostname); - ipv6 = do_dns_lookup(self, dns_resolver, "AAAA", self.hostname); + ipv4 = do_dns_lookup(self, dns_resolver, "A", self.hostname, true); + ipv6 = do_dns_lookup(self, dns_resolver, "AAAA", self.hostname, true); tlsa = do_dns_lookup(self, dns_resolver, "TLSA", ("_%d._%s.%s"):format(self.port, self.conn_type, self.hostname)); }; -- cgit v1.2.3