diff -c -r lftp-3.5.10.orig/src/Resolver.cc lftp-3.5.10/src/Resolver.cc *** lftp-3.5.10.orig/src/Resolver.cc Tue Jun 13 10:35:40 2006 --- lftp-3.5.10/src/Resolver.cc Wed Apr 30 13:13:14 2008 *************** *** 76,81 **** --- 76,85 ---- # define DEFAULT_ORDER "inet" #endif + #ifdef LOCAL_DNSSEC_VALIDATION + # include <validator/validator.h> + #endif + struct address_family { *************** *** 505,510 **** --- 509,518 ---- int retries=0; int max_retries=ResMgr::Query("dns:max-retries",hostname); int len; + #ifdef LOCAL_DNSSEC_VALIDATION + val_status_t val_status; + int require_trust=ResMgr::Query("dns:strict-dnssec",hostname); + #endif for(;;) { if(!use_fork) *************** *** 514,522 **** --- 522,541 ---- return; } time(&try_time); + + #ifndef LOCAL_DNSSEC_VALIDATION len=res_search(srv_name, C_IN, T_SRV, answer, sizeof(answer)); if(len>=0) break; + #else + len=val_res_search(srv_name, C_IN, T_SRV, answer, sizeof(answer), &val_status); + if(len>=0) { + if(require_trust && ! val_istrusted(val_status)) + return; + else + break; + } + #endif #ifdef HAVE_H_ERRNO if(h_errno!=TRY_AGAIN) return; *************** *** 700,705 **** --- 719,725 ---- int retries=0; int max_retries=ResMgr::Query("dns:max-retries",name); + int require_trust=ResMgr::Query("dns:strict-dnssec",name); for(;;) { if(!use_fork) *************** *** 719,739 **** && !defined(HAVE_GETIPNODEBYNAME) */ // getaddrinfo support by Brandon Hume ! struct addrinfo *ainfo=0, ! *a_res, ! a_hint; int ainfo_res; struct sockaddr *sockname; struct sockaddr_in *inet_addr; struct sockaddr_in6 *inet6_addr; const char *addr_data; int addr_len; memset(&a_hint, 0, sizeof(a_hint)); a_hint.ai_flags = AI_PASSIVE; a_hint.ai_family = PF_UNSPEC; ainfo_res = getaddrinfo(name, NULL, &a_hint, &ainfo); if(ainfo_res == 0) { --- 739,774 ---- && !defined(HAVE_GETIPNODEBYNAME) */ // getaddrinfo support by Brandon Hume ! struct addrifo *ainfo=0, ! *a_res; ! a_hint; int ainfo_res; struct sockaddr *sockname; struct sockaddr_in *inet_addr; struct sockaddr_in6 *inet6_addr; const char *addr_data; int addr_len; + #ifdef LOCAL_DNSSEC_VALIDATION + val_status_t val_status; + #endif memset(&a_hint, 0, sizeof(a_hint)); a_hint.ai_flags = AI_PASSIVE; a_hint.ai_family = PF_UNSPEC; + #ifndef LOCAL_DNSSEC_VALIDATION ainfo_res = getaddrinfo(name, NULL, &a_hint, &ainfo); + #else + ainfo_res = val_getaddrinfo(NULL, name, NULL, &a_hint, &ainfo, + &val_status); + if((ainfo_res == 0) && ! val_istrusted(val_status) && + require_trust) + { + // untrusted answer + error = _("DNS resoloution not trusted."); + break; + } + #endif if(ainfo_res == 0) { *************** *** 767,772 **** --- 802,808 ---- } freeaddrinfo(ainfo); + break; } Only in lftp-3.5.10/src: Resolver.cc.orig