From 3e3002ffead0526d088c353f97475400367087da Mon Sep 17 00:00:00 2001 From: Siddhesh Poyarekar Date: Tue, 24 Feb 2015 12:57:26 +0530 Subject: Skip logging for DNSSEC responses [BZ 14841] DNSSEC defines a number of response types that one me expect when the DO bit is set. We don't process any of them, but since we do allow setting the DO bit, skip them without logging an error since it is only a nuisance. Tested on x86_64. [BZ #14841] * resolv/gethnamaddr.c (getanswer): Skip logging if RES_USE_DNSSEC is set. * resolv/nss_dns/dns-host.c (getanswer_r): Likewise. --- ChangeLog | 7 +++++++ NEWS | 6 +++--- resolv/gethnamaddr.c | 25 ++++++++++--------------- resolv/nss_dns/dns-host.c | 23 ++++++++--------------- 4 files changed, 28 insertions(+), 33 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6815223db6..2501fa5cc9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2015-02-24 Siddhesh Poyarekar + + [BZ #14841] + * resolv/gethnamaddr.c (getanswer): Skip logging if + RES_USE_DNSSEC is set. + * resolv/nss_dns/dns-host.c (getanswer_r): Likewise. + 2015-02-24 Mike Frysinger * sysdeps/unix/sysv/linux/hppa/sysdep.h: Include dl-sysdep.h. diff --git a/NEWS b/NEWS index e5d8ee8834..3925acd93f 100644 --- a/NEWS +++ b/NEWS @@ -9,9 +9,9 @@ Version 2.22 * The following bugs are resolved with this release: - 4719, 13064, 14094, 15319, 15467, 15790, 16560, 17269, 17569, 17588, - 17792, 17836, 17912, 17932, 17944, 17949, 17964, 17965, 17967, 17969, - 17978, 17987, 17991, 17996, 17998, 17999. + 4719, 14841, 13064, 14094, 15319, 15467, 15790, 16560, 17269, 17569, + 17588, 17792, 17836, 17912, 17932, 17944, 17949, 17964, 17965, 17967, + 17969, 17978, 17987, 17991, 17996, 17998, 17999. * Character encoding and ctype tables were updated to Unicode 7.0.0, using new generator scripts contributed by Pravin Satpute and Mike FABIAN (Red diff --git a/resolv/gethnamaddr.c b/resolv/gethnamaddr.c index a861a847ce..7fd0e497b1 100644 --- a/resolv/gethnamaddr.c +++ b/resolv/gethnamaddr.c @@ -331,23 +331,18 @@ getanswer (const querybuf *answer, int anslen, const char *qname, int qtype) buflen -= n; continue; } - if ((type == T_SIG) || (type == T_KEY) || (type == T_NXT)) { - /* We don't support DNSSEC yet. For now, ignore - * the record and send a low priority message - * to syslog. - */ - syslog(LOG_DEBUG|LOG_AUTH, - "gethostby*.getanswer: asked for \"%s %s %s\", got type \"%s\"", - qname, p_class(C_IN), p_type(qtype), - p_type(type)); - cp += n; - continue; - } if (type != qtype) { - syslog(LOG_NOTICE|LOG_AUTH, + /* Log a low priority message if we get an unexpected + * record, but skip it if we are using DNSSEC since it + * uses many different types in responses that do not + * match QTYPE. + */ + if ((_res.options & RES_USE_DNSSEC) == 0) { + syslog(LOG_NOTICE|LOG_AUTH, "gethostby*.getanswer: asked for \"%s %s %s\", got type \"%s\"", - qname, p_class(C_IN), p_type(qtype), - p_type(type)); + qname, p_class(C_IN), p_type(qtype), + p_type(type)); + } cp += n; continue; /* XXX - had_error++ ? */ } diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c index f715ab0b3f..b16b0ddf11 100644 --- a/resolv/nss_dns/dns-host.c +++ b/resolv/nss_dns/dns-host.c @@ -820,26 +820,19 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype, linebuflen -= n; continue; } - if (__builtin_expect (type == T_SIG, 0) - || __builtin_expect (type == T_KEY, 0) - || __builtin_expect (type == T_NXT, 0)) - { - /* We don't support DNSSEC yet. For now, ignore the record - and send a low priority message to syslog. */ - syslog (LOG_DEBUG | LOG_AUTH, - "gethostby*.getanswer: asked for \"%s %s %s\", got type \"%s\"", - qname, p_class (C_IN), p_type(qtype), p_type (type)); - cp += n; - continue; - } if (type == T_A && qtype == T_AAAA && map) have_to_map = 1; else if (__glibc_unlikely (type != qtype)) { - syslog (LOG_NOTICE | LOG_AUTH, - "gethostby*.getanswer: asked for \"%s %s %s\", got type \"%s\"", - qname, p_class (C_IN), p_type (qtype), p_type (type)); + /* Log a low priority message if we get an unexpected record, but + skip it if we are using DNSSEC since it uses many different types + in responses that do not match QTYPE. */ + if ((_res.options & RES_USE_DNSSEC) == 0) + syslog (LOG_NOTICE | LOG_AUTH, + "gethostby*.getanswer: asked for \"%s %s %s\", " + "got type \"%s\"", + qname, p_class (C_IN), p_type (qtype), p_type (type)); cp += n; continue; /* XXX - had_error++ ? */ } -- cgit 1.4.1