NLnetLabs · wtoorop · Jun 24, 2021 · Jun 24, 2021 · Aug 13, 2021 · Aug 16, 2021
diff --git a/daemon/worker.c b/daemon/worker.c
@@ -484,6 +484,8 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,
 				msg->rep, LDNS_RCODE_SERVFAIL, edns, repinfo, worker->scratchpad,
 				worker->env.now_tv))
 					return 0;
+			EDNS_OPT_LIST_APPEND_EDE(&edns->opt_list_out,
+				worker->scratchpad, LDNS_EDE_DNSSEC_BOGUS, "");
 			error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL, 
 				&msg->qinfo, id, flags, edns);
 			if(worker->stats.extended) {
@@ -499,6 +501,9 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,
 			secure = 1;
 			break;
 		case sec_status_indeterminate:
+			EDNS_OPT_LIST_APPEND_EDE(&edns->opt_list_out,
+				worker->scratchpad, LDNS_EDE_DNSSEC_INDETERMINATE, "");
+			/* fallthrough */
 		case sec_status_insecure:
 		default:
 			/* not secure */
@@ -654,6 +659,8 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
 			LDNS_RCODE_SERVFAIL, edns, repinfo, worker->scratchpad,
 			worker->env.now_tv))
 			goto bail_out;
+		EDNS_OPT_LIST_APPEND_EDE(&edns->opt_list_out,
+			worker->scratchpad, LDNS_EDE_DNSSEC_BOGUS, "");
 		error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL,
 			qinfo, id, flags, edns);
 		rrset_array_unlock_touch(worker->env.rrset_cache,
@@ -1020,6 +1027,8 @@ deny_refuse(struct comm_point* c, enum acl_access acl,
 			worker->stats.unwanted_queries++;
 		return 0;
 	} else if(acl == refuse) {
+		size_t opt_rr_mark;
+
 		log_addr(VERB_ALGO, "refused query from",
 			&repinfo->addr, repinfo->addrlen);
 		log_buf(VERB_ALGO, "refuse", c->buffer);
@@ -1029,15 +1038,124 @@ deny_refuse(struct comm_point* c, enum acl_access acl,
 			comm_point_drop_reply(repinfo);
 			return 0; /* discard this */
 		}
-		sldns_buffer_set_limit(c->buffer, LDNS_HEADER_SIZE);
-		sldns_buffer_write_at(c->buffer, 4, 
-			(uint8_t*)"\0\0\0\0\0\0\0\0", 8);
+		log_assert(LDNS_QDCOUNT(sldns_buffer_begin(c->buffer)) == 1);
+
+		sldns_buffer_skip(c->buffer, LDNS_HEADER_SIZE); /* skip header */
+
+		if (!query_dname_len(c->buffer)) {
+			LDNS_QR_SET(sldns_buffer_begin(c->buffer));
+			LDNS_RCODE_SET(sldns_buffer_begin(c->buffer),
+				LDNS_RCODE_FORMERR);
+			sldns_buffer_flip(c->buffer);
+			return 1;
+		}
+		if (sldns_buffer_remaining(c->buffer) < 2 * sizeof(uint16_t)) {
+                        LDNS_QR_SET(sldns_buffer_begin(c->buffer));
+                        LDNS_RCODE_SET(sldns_buffer_begin(c->buffer),
+				 LDNS_RCODE_FORMERR);
+                        sldns_buffer_flip(c->buffer);
+			return 1;
+		}
 		LDNS_QR_SET(sldns_buffer_begin(c->buffer));
 		LDNS_RCODE_SET(sldns_buffer_begin(c->buffer), 
 			LDNS_RCODE_REFUSED);
-		sldns_buffer_set_position(c->buffer, LDNS_HEADER_SIZE);
+
+		sldns_buffer_skip(c->buffer, (ssize_t)sizeof(uint16_t)); /* skip qtype */
+
+		/* check the qclass */
+		if (sldns_buffer_read_u16(c->buffer) != LDNS_RR_CLASS_IN) {
+			LDNS_QDCOUNT_SET(sldns_buffer_begin(c->buffer), 0);
+			LDNS_ANCOUNT_SET(sldns_buffer_begin(c->buffer), 0);
+			LDNS_NSCOUNT_SET(sldns_buffer_begin(c->buffer), 0);
+			LDNS_ARCOUNT_SET(sldns_buffer_begin(c->buffer), 0);
+			sldns_buffer_flip(c->buffer);
+			return 1;
+		}
+
+		/* check edns section is present */
+		if(LDNS_ARCOUNT(sldns_buffer_begin(c->buffer)) != 1) {
+			LDNS_ANCOUNT_SET(sldns_buffer_begin(c->buffer), 0);
+			LDNS_NSCOUNT_SET(sldns_buffer_begin(c->buffer), 0);
+			LDNS_ARCOUNT_SET(sldns_buffer_begin(c->buffer), 0);
+			sldns_buffer_flip(c->buffer);
+			return 1;
+		}
+
+		/* The OPT RR to be returned should come directly after
+		 * the query, so mark this spot.
+		 */
+		opt_rr_mark = sldns_buffer_position(c->buffer);
+
+		/* Skip through the RR records */
+		if(LDNS_ANCOUNT(sldns_buffer_begin(c->buffer)) != 0 ||
+			LDNS_NSCOUNT(sldns_buffer_begin(c->buffer)) != 0) {
+			if(!skip_pkt_rrs(c->buffer, 
+				((int)LDNS_ANCOUNT(sldns_buffer_begin(c->buffer)))+
+				((int)LDNS_NSCOUNT(sldns_buffer_begin(c->buffer))))) {
+				LDNS_RCODE_SET(sldns_buffer_begin(c->buffer),
+					LDNS_RCODE_FORMERR);
+				sldns_buffer_flip(c->buffer);
+				return 1;
+			}
+		}
+		/* Do we have a valid OPT RR here? If not return FORMERR */
+		/* domain name must be the root of length 1. */
+		if(pkt_dname_len(c->buffer) != 1) {
+			LDNS_RCODE_SET(sldns_buffer_begin(c->buffer),
+				LDNS_RCODE_FORMERR);
+			return 1;
+		}
+		if(sldns_buffer_remaining(c->buffer) < 2 ||
+			sldns_buffer_read_u16(c->buffer) != LDNS_RR_TYPE_OPT) {
+			LDNS_RCODE_SET(sldns_buffer_begin(c->buffer),
+				LDNS_RCODE_FORMERR);
+			sldns_buffer_flip(c->buffer);
+			return 1;
+		}
+		/* Write OPT RR directly after the query,
+		 * so without the (possibly skipped) Answer and NS RRs
+		 */
+		LDNS_ANCOUNT_SET(sldns_buffer_begin(c->buffer), 0);
+		LDNS_NSCOUNT_SET(sldns_buffer_begin(c->buffer), 0);
+		sldns_buffer_set_position(c->buffer, opt_rr_mark);
+
+		/* Check if OPT record can be written
+		 * 17 == root label (1) + RR type (2) + UDP Size (2)
+		 *     + Fields (4) + rdata len (2) + EDE Option code (2)
+		 *     + EDE Option length (2) + EDE info-code (2)
+		 */
+		if (sldns_buffer_available(c->buffer, 17) == 0) {
+			LDNS_ARCOUNT_SET(sldns_buffer_begin(c->buffer), 0);
+			sldns_buffer_flip(c->buffer);
+			return 1;
+		}
+
+		LDNS_ARCOUNT_SET(sldns_buffer_begin(c->buffer), 1);
+
+		/* root label */
+		sldns_buffer_write_u8(c->buffer, 0);
+		sldns_buffer_write_u16(c->buffer, LDNS_RR_TYPE_OPT);
+		sldns_buffer_write_u16(c->buffer, EDNS_ADVERTISED_SIZE);
+
+		/* write OPT Record TTL Field */
+		sldns_buffer_write_u32(c->buffer, 0);
+
+		/* write rdata len: EDE option + length + info-code */
+		sldns_buffer_write_u16(c->buffer, 6);
+
+		/* write OPTIONS; add EDE option code */
+		sldns_buffer_write_u16(c->buffer, LDNS_EDNS_EDE);
+
+		/* write single EDE option length (for just 1 info-code) */
+		sldns_buffer_write_u16(c->buffer, 2);
+
+		/* write single EDE info-code */
+		sldns_buffer_write_u16(c->buffer, LDNS_EDE_PROHIBITED);
+
 		sldns_buffer_flip(c->buffer);
+
 		return 1;
+
 	}
 
 	return -1;
@@ -1382,12 +1500,15 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 	 * ACLs allow the snooping. */
 	if(!(LDNS_RD_WIRE(sldns_buffer_begin(c->buffer))) &&
 		acl != acl_allow_snoop ) {
+		EDNS_OPT_LIST_APPEND_EDE(&edns.opt_list_out,
+			worker->scratchpad, LDNS_EDE_NOT_AUTHORITATIVE, "");
 		error_encode(c->buffer, LDNS_RCODE_REFUSED, &qinfo,
 			*(uint16_t*)(void *)sldns_buffer_begin(c->buffer),
-			sldns_buffer_read_u16_at(c->buffer, 2), NULL);
+			sldns_buffer_read_u16_at(c->buffer, 2), &edns);
 		regional_free_all(worker->scratchpad);
 		log_addr(VERB_ALGO, "refused nonrec (cache snoop) query from",
 			&repinfo->addr, repinfo->addrlen);
+
 		goto send_reply;
 	}
 
@@ -1460,10 +1581,23 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 						< *worker->env.now)
 						leeway = 0;
 					lock_rw_unlock(&e->lock);
+
+					// // stale answer? 
+					// if (worker->env.cfg->serve_expired &&
+					// 	*worker->env.now >= ((struct reply_info*)e->data)->ttl) {
+					// 	// EDE Error Code 3 - Stale Answer
+					// 	EDNS_OPT_LIST_APPEND_EDE(&edns.opt_list_out, worker->scratchpad,
+					// LDNS_EDE_STALE_ANSWER, "");
+					// }
+
+					// add EDNS struct?
 					reply_and_prefetch(worker, lookup_qinfo,
 						sldns_buffer_read_u16_at(c->buffer, 2),
 						repinfo, leeway,
 						(partial_rep || need_drop));
+
+
+
 					if(!partial_rep) {
 						rc = 0;
 						regional_free_all(worker->scratchpad);
@@ -1500,6 +1634,9 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 			verbose(VERB_ALGO, "answer from the cache failed");
 			lock_rw_unlock(&e->lock);
 		}
+
+		// @TODO Extended DNS Error Code 13 - Cached Error? place not clear
+
 		if(!LDNS_RD_WIRE(sldns_buffer_begin(c->buffer))) {
 			if(answer_norec_from_cache(worker, &qinfo,
 				*(uint16_t*)(void *)sldns_buffer_begin(c->buffer), 

diff --git a/services/localzone.c b/services/localzone.c
@@ -1286,11 +1286,54 @@ local_encode(struct query_info* qinfo, struct module_env* env,
 	return 1;
 }
 
+/** encode answer consisting of 1 rrset (with EDE code) */
+static int
+local_encode_ede(struct query_info* qinfo, struct module_env* env,
+	struct edns_data* edns, struct comm_reply* repinfo, sldns_buffer* buf,
+	struct regional* temp, struct ub_packed_rrset_key* rrset, int ansec,
+	int rcode, sldns_ede_code ede_code, const char* ede_txt)
+{
+	struct reply_info rep;
+	uint16_t udpsize;
+	/* make answer with time=0 for fixed TTL values */
+	memset(&rep, 0, sizeof(rep));
+	rep.flags = (uint16_t)((BIT_QR | BIT_AA | BIT_RA) | rcode);
+	rep.qdcount = 1;
+	if(ansec)
+		rep.an_numrrsets = 1;
+	else	rep.ns_numrrsets = 1;
+	rep.rrset_count = 1;
+	rep.rrsets = &rrset;
+	udpsize = edns->udp_size;
+	edns->edns_version = EDNS_ADVERTISED_VERSION;
+	edns->udp_size = EDNS_ADVERTISED_SIZE;
+	edns->ext_rcode = 0;
+	edns->bits &= EDNS_DO;
+	if(!inplace_cb_reply_local_call(env, qinfo, NULL, &rep, rcode, edns,
+		repinfo, temp, env->now_tv)) {
+		error_encode(buf, (LDNS_RCODE_SERVFAIL|BIT_AA), qinfo,
+			*(uint16_t*)sldns_buffer_begin(buf),
+			sldns_buffer_read_u16_at(buf, 2), edns);
+	} else {
+		edns_opt_list_append_ede(&edns->opt_list_out, temp, ede_code, ede_txt);
+
+		if(!reply_info_answer_encode(qinfo, &rep,
+			*(uint16_t*)sldns_buffer_begin(buf), sldns_buffer_read_u16_at(buf, 2),
+			buf, 0, 0, temp, udpsize, edns, (int)(edns->bits&EDNS_DO), 0)) {
+			error_encode(buf, (LDNS_RCODE_SERVFAIL|BIT_AA), qinfo,
+				*(uint16_t*)sldns_buffer_begin(buf),
+				sldns_buffer_read_u16_at(buf, 2), edns);
+		}
+	}
+	return 1;
+}
+
 /** encode local error answer */
 static void
 local_error_encode(struct query_info* qinfo, struct module_env* env,
 	struct edns_data* edns, struct comm_reply* repinfo, sldns_buffer* buf,
-	struct regional* temp, int rcode, int r)
+	struct regional* temp, int rcode, int r, sldns_ede_code ede_code,
+	const char* ede_txt)
 {
 	edns->edns_version = EDNS_ADVERTISED_VERSION;
 	edns->udp_size = EDNS_ADVERTISED_SIZE;
@@ -1300,6 +1343,8 @@ local_error_encode(struct query_info* qinfo, struct module_env* env,
 	if(!inplace_cb_reply_local_call(env, qinfo, NULL, NULL,
 		rcode, edns, repinfo, temp, env->now_tv))
 		edns->opt_list_inplace_cb_out = NULL;
+	if(ede_code >= 0 && env->cfg->local_data_do_ede)
+		edns_opt_list_append_ede(&edns->opt_list_out, temp, ede_code, ede_txt);
 	error_encode(buf, r, qinfo, *(uint16_t*)sldns_buffer_begin(buf),
 		sldns_buffer_read_u16_at(buf, 2), edns);
 }
@@ -1495,9 +1540,11 @@ local_data_answer(struct local_zone* z, struct module_env* env,
 
 			if(newtargetlen > LDNS_MAX_DOMAINLEN) {
 				qinfo->local_alias = NULL;
-				local_error_encode(qinfo, env, edns, repinfo,
+				local_error_encode(qinfo, env, edns,repinfo,
 					buf, temp, LDNS_RCODE_YXDOMAIN,
-					(LDNS_RCODE_YXDOMAIN|BIT_AA));
+					(LDNS_RCODE_YXDOMAIN|BIT_AA),
+					LDNS_EDE_OTHER,
+					"DNAME expansion became too large");
 				return 1;
 			}
 			memset(&qinfo->local_alias->rrset->entry, 0,
@@ -1542,6 +1589,7 @@ local_data_answer(struct local_zone* z, struct module_env* env,
 		return local_encode(qinfo, env, edns, repinfo, buf, temp, &r, 1,
 			LDNS_RCODE_NOERROR);
 	}
+	// @TODO add EDE?
 	return local_encode(qinfo, env, edns, repinfo, buf, temp, lr->rrset, 1,
 		LDNS_RCODE_NOERROR);
 }
@@ -1600,7 +1648,8 @@ local_zones_zone_answer(struct local_zone* z, struct module_env* env,
 	} else if(lz_type == local_zone_refuse
 		|| lz_type == local_zone_always_refuse) {
 		local_error_encode(qinfo, env, edns, repinfo, buf, temp,
-			LDNS_RCODE_REFUSED, (LDNS_RCODE_REFUSED|BIT_AA));
+			LDNS_RCODE_REFUSED, (LDNS_RCODE_REFUSED|BIT_AA),
+			LDNS_EDE_BLOCKED, "");
 		return 1;
 	} else if(lz_type == local_zone_static ||
 		lz_type == local_zone_redirect ||
@@ -1625,8 +1674,8 @@ local_zones_zone_answer(struct local_zone* z, struct module_env* env,
 		if(z != NULL && z->soa && z->soa_negative)
 			return local_encode(qinfo, env, edns, repinfo, buf, temp,
 				z->soa_negative, 0, rcode);
-		local_error_encode(qinfo, env, edns, repinfo, buf, temp, rcode,
-			(rcode|BIT_AA));
+		local_error_encode(qinfo, env, edns, repinfo, buf, temp,
+			rcode, (rcode|BIT_AA), LDNS_EDE_BLOCKED, "");
 		return 1;
 	} else if(lz_type == local_zone_typetransparent
 		|| lz_type == local_zone_always_transparent) {
@@ -1664,12 +1713,13 @@ local_zones_zone_answer(struct local_zone* z, struct module_env* env,
 			d.rr_len = &rr_len;
 			d.rr_data = &rr_datas;
 			d.rr_ttl = &rr_ttl;
-			return local_encode(qinfo, env, edns, repinfo, buf, temp,
-				&lrr, 1, LDNS_RCODE_NOERROR);
+			return local_encode_ede(qinfo, env, edns, repinfo, buf, temp,
+				&lrr, 1, LDNS_RCODE_NOERROR, LDNS_EDE_FORGED_ANSWER, "");
 		} else {
+			/* NODATA: No EDE needed */
 			local_error_encode(qinfo, env, edns, repinfo, buf,
 				temp, LDNS_RCODE_NOERROR,
-				(LDNS_RCODE_NOERROR|BIT_AA));
+				(LDNS_RCODE_NOERROR|BIT_AA), -1, NULL);
 		}
 		return 1;
 	}
@@ -1682,8 +1732,9 @@ local_zones_zone_answer(struct local_zone* z, struct module_env* env,
 		if(z != NULL && z->soa && z->soa_negative)
 			return local_encode(qinfo, env, edns, repinfo, buf, temp,
 				z->soa_negative, 0, rcode);
+		/* NODATA: No EDE needed */
 		local_error_encode(qinfo, env, edns, repinfo, buf, temp, rcode,
-			(rcode|BIT_AA));
+			(rcode|BIT_AA), -1, NULL);
 		return 1;
 	}
 

diff --git a/services/mesh.c b/services/mesh.c
@@ -1290,6 +1290,22 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
 				&r->edns, &r->query_reply, m->s.region, &r->start_time))
 					r->edns.opt_list_inplace_cb_out = NULL;
 		}
+		/* Send along EDE BOGUS EDNS0 option when answer is bogus */
+		if(rcode == LDNS_RCODE_SERVFAIL &&
+			m->s.env->need_to_validate && (!(r->qflags&BIT_CD) ||
+			m->s.env->cfg->ignore_cd) && rep &&
+			(rep->security <= sec_status_bogus ||
+			rep->security == sec_status_secure_sentinel_fail)) {
+
+			char *reason = m->s.env->cfg->val_log_level >= 2
+			             ? errinf_to_str_bogus(&m->s) : NULL;
+			sldns_ede_code reason_bogus = rep->reason_bogus != LDNS_EDE_DNSSEC_BOGUS
+			                            ? rep->reason_bogus : errinf_to_reason_bogus(&m->s);
+
+			edns_opt_list_append_ede(&r->edns.opt_list_out, m->s.region,
+					reason_bogus, reason);
+			free(reason);
+		}
 		error_encode(r_buffer, rcode, &m->s.qinfo, r->qid,
 			r->qflags, &r->edns);
 		m->reply_list = NULL;
@@ -1313,6 +1329,7 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
 			if(!inplace_cb_reply_servfail_call(m->s.env, &m->s.qinfo, &m->s,
 			rep, LDNS_RCODE_SERVFAIL, &r->edns, &r->query_reply, m->s.region, &r->start_time))
 				r->edns.opt_list_inplace_cb_out = NULL;
+			// @TODO EDE?
 			error_encode(r_buffer, LDNS_RCODE_SERVFAIL,
 				&m->s.qinfo, r->qid, r->qflags, &r->edns);
 		}