net.resolvers.basic: Add opt-out argument for DNSSEC security status
This makes explicit which lookups can accept an unsigned response.
Insecure (unsigned, as before DNSSEC) A and AAAA records can be used as
security would come from TLS, but an insecure TLSA record is worthless.
--- a/net/resolvers/basic.lua Fri Jul 29 17:10:31 2022 +0200
+++ b/net/resolvers/basic.lua Tue Aug 02 16:08:43 2022 +0200
@@ -10,7 +10,7 @@
-- FIXME RFC 6724
-local function do_dns_lookup(self, dns_resolver, record_type, name)
+local function do_dns_lookup(self, dns_resolver, record_type, name, allow_insecure)
return promise.new(function (resolve, reject)
local ipv = (record_type == "A" and "4") or (record_type == "AAAA" and "6") or nil;
if ipv and self.extra["use_ipv"..ipv] == false then
@@ -23,6 +23,8 @@
return reject(err);
elseif answer.bogus then
return reject(("Validation error in %s lookup"):format(record_type));
+ elseif not (answer.secure or allow_insecure) then
+ return reject(("Insecure response in %s lookup"):format(record_type));
elseif answer.status and #answer == 0 then
return reject(("%s in %s lookup"):format(answer.status, record_type));
end
@@ -78,8 +80,8 @@
local dns_resolver = adns.resolver();
local dns_lookups = {
- ipv4 = do_dns_lookup(self, dns_resolver, "A", self.hostname);
- ipv6 = do_dns_lookup(self, dns_resolver, "AAAA", self.hostname);
+ ipv4 = do_dns_lookup(self, dns_resolver, "A", self.hostname, true);
+ ipv6 = do_dns_lookup(self, dns_resolver, "AAAA", self.hostname, true);
tlsa = do_dns_lookup(self, dns_resolver, "TLSA", ("_%d._%s.%s"):format(self.port, self.conn_type, self.hostname));
};