Pull request 1734: 5479-ad-do-fix

Updates #5479. Squashed commit of the following: commit 348d0b94412aee510f291228b76c41a1b2f31d3e Merge: a0cf6f35 ff04b2a7 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Mon Feb 13 18:42:47 2023 +0300 Merge branch 'master' into 5479-ad-do-fix commit a0cf6f3565c22b049c1e98d24c19854d911fd6e0 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Mon Feb 13 18:02:54 2023 +0300 dnsforward: imp names, docs commit dfc0be504b3844ba65c2f21ff604edfc6d9040cd Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Mon Feb 13 14:34:49 2023 +0300 dnsforward: fix ad flag for do reqs
2023-02-13 19:07:10 +03:00 · 2023-02-13 19:07:10 +03:00 · a50a8abb45
parent ff04b2a7d3
commit a50a8abb45
2 changed files with 48 additions and 10 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -84,6 +84,8 @@ In this release, the schema version has changed from 14 to 16.
 ### Fixed
 - Setting the AD (Authenticated Data) flag on responses that have the DO (DNSSEC
  OK) flag set but not the AD flag ([#5479]).
 - Client names resolved via reverse DNS not being updated ([#4939]).
 - The icon for League Of Legends on the Blocked services page ([#5433]).
@ -91,10 +93,12 @@ In this release, the schema version has changed from 14 to 16.
 - Go 1.18 support, as it has reached end of life.
 [#1717]: https://github.com/AdguardTeam/AdGuardHome/issues/1717
 [#4299]: https://github.com/AdguardTeam/AdGuardHome/issues/4299
 [#4939]: https://github.com/AdguardTeam/AdGuardHome/issues/4939
 [#5433]: https://github.com/AdguardTeam/AdGuardHome/issues/5433
 [#5479]: https://github.com/AdguardTeam/AdGuardHome/issues/5479
 <!--
 NOTE: Add new changes ABOVE THIS COMMENT.
--- a/internal/dnsforward/dns.go
+++ b/internal/dnsforward/dns.go
@ -651,13 +651,7 @@ func (s *Server) processUpstream(dctx *dnsContext) (rc resultCode) {
 	s.setCustomUpstream(pctx, dctx.clientID)
-	origReqAD := false
+	reqWantsDNSSEC := s.setReqAD(req)
 	if s.conf.EnableDNSSEC {
 		origReqAD = req.AuthenticatedData
 		if !req.AuthenticatedData {
 			req.AuthenticatedData = true
 		}
 	}
 	// Process the request further since it wasn't filtered.
 	prx := s.proxy()
@ -688,12 +682,52 @@ func (s *Server) processUpstream(dctx *dnsContext) (rc resultCode) {
 	dctx.responseFromUpstream = true
 	dctx.responseAD = pctx.Res.AuthenticatedData
-	if s.conf.EnableDNSSEC && !origReqAD {
+	s.setRespAD(pctx, reqWantsDNSSEC)
 	return resultCodeSuccess
 }
 // setReqAD changes the request based on the server settings.  wantsDNSSEC is
 // false if the response should be cleared of the AD bit.
 //
 // TODO(a.garipov, e.burkov): This should probably be done in module dnsproxy.
 func (s *Server) setReqAD(req *dns.Msg) (wantsDNSSEC bool) {
 	if !s.conf.EnableDNSSEC {
 		return false
 	}
 	origReqAD := req.AuthenticatedData
 	req.AuthenticatedData = true
 	// Per [RFC 6840] says, validating resolvers should only set the AD bit when
 	// the response has the AD bit set and the request contained either a set DO
 	// bit or a set AD bit.  So, if neither of these is true, clear the AD bits
 	// in [Server.setRespAD].
 	//
 	// [RFC 6840]: https://datatracker.ietf.org/doc/html/rfc6840#section-5.8
 	return origReqAD || hasDO(req)
 }
 // hasDO returns true if msg has EDNS(0) options and the DNSSEC OK flag is set
 // in there.
 //
 // TODO(a.garipov): Move to golibs/dnsmsg when it's there.
 func hasDO(msg *dns.Msg) (do bool) {
 	o := msg.IsEdns0()
 	if o == nil {
 		return false
 	}
 	return o.Do()
 }
 // setRespAD changes the request and response based on the server settings and
 // the original request data.
 func (s *Server) setRespAD(pctx *proxy.DNSContext, reqWantsDNSSEC bool) {
 	if s.conf.EnableDNSSEC && !reqWantsDNSSEC {
 		pctx.Req.AuthenticatedData = false
 		pctx.Res.AuthenticatedData = false
 	}
 	return resultCodeSuccess
 }
 // isDHCPClientHostQ returns true if q is from a request for a DHCP client