bns icon indicating copy to clipboard operation
bns copied to clipboard

Published 20 hours ago verified publisher icon chjj

Various updates to match authoritative behavior of BIND9

Open pinheadmz opened this issue 5 years ago • 5 comments

Closes #5 Closes #21 Closes #16 Closes #15

A few edge cases aren't complete, indicated by skip in some of the tests. Test cases were designed to match results from adding the same record set to named and querying.

Changes summary:

zone: only serve wildcard if there was otherwise no match

if *.domain. exists in the zone along with sub.domain., do not return the wildcard record as an answer for domain. or sub.domain or sub.otherdomain.

zone: return CNAME records for any type requested

sub.domain. CNAME domain.

We should return this CNAME record whenever sub.domain is requested, no matter what the requested type is.

zone: glue requested type, default A / AAAA

Assuming "glue" exists:

sub.domain. CNAME domain.
domain. TXT "return this string"
domain. A 10.20.30.40

When sub.domain. is queried, the corresponding type should be returned as "glue" (it goes in the answer section though, not additional). We return A/AAAA records by default. In other words, the CNAME glue is treated like its own request, including adding SOA to authority section if no answer is available. So sub.domain. TXT would return the CNAME record along with the TXT record.

zone: wildcard matches more than one label

*.domain. TXT "wow such zone file"

This record should be matched against sub.domain. TXT but also foo.bar.sub.domain. TXT.

zone: filter out wildcards that do not match

*.domain. TXT "wow such zone file"

This record should NOT be returned for a query for another.domain. because it does not match.

zone: add SOA if authoritative but no answers. Applies to CNAME glue

Always sets the aa flag if we have a corresponding SOA in the zone, even if we don't include an actual SOA record (which we usually don't if an answer is present). This will also apply to "glue" from CNAME matches:

(results from named)

Record matching requested type present for target of CNAME:

$ dig @127.0.0.1 -p 5300 subdomain-glue.coolness. a

; <<>> DiG 9.16.3 <<>> @127.0.0.1 -p 5300 subdomain-glue.coolness. a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22759
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 49555c2cbce32a34010000005f04854da468d429742abd77 (good)
;; QUESTION SECTION:
;subdomain-glue.coolness.       IN      A

;; ANSWER SECTION:
subdomain-glue.coolness. 21600  IN      CNAME   coolness.
coolness.               21600   IN      A       10.20.30.40

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5300(127.0.0.1)
;; WHEN: Tue Jul 07 10:23:09 EDT 2020
;; MSG SIZE  rcvd: 110

Record matching requested type NOT present for target of CNAME:

$ dig @127.0.0.1 -p 5300 subdomain-glue.coolness. dnskey

; <<>> DiG 9.16.3 <<>> @127.0.0.1 -p 5300 subdomain-glue.coolness. dnskey
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39596
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 0881e1c766abc5dc010000005f04855092e02236a58a19af (good)
;; QUESTION SECTION:
;subdomain-glue.coolness.       IN      DNSKEY

;; ANSWER SECTION:
subdomain-glue.coolness. 21600  IN      CNAME   coolness.

;; AUTHORITY SECTION:
coolness.               300     IN      SOA     ns1.dns.live. root.coolness. 2020061644 21600 3600 2419200 86400

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5300(127.0.0.1)
;; WHEN: Tue Jul 07 10:23:12 EDT 2020
;; MSG SIZE  rcvd: 147

zone: no-authority no-records answer should be as quiet as possible

Match behavior from named if the request is totally wrong for our zone (unless we are root)

$ dig @127.0.0.1 -p 5300 wefwefwefwe

; <<>> DiG 9.16.3 <<>> @127.0.0.1 -p 5300 wefwefwefwe
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 12103
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: e4870ba35d143d46010000005f048e4a5c2dbf97b1ebef58 (good)
;; QUESTION SECTION:
;wefwefwefwe.                   IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5300(127.0.0.1)
;; WHEN: Tue Jul 07 11:01:30 EDT 2020
;; MSG SIZE  rcvd: 68

zone: add zsk property and enable ad-hoc signing

Self-explanatory. Enables loading a ZSK into the AuthServer to sign wildcard records upon request.

pinheadmz avatar Jul 07 '20 14:07 pinheadmz

Applies to CNAME glue

A CNAME can't be GLUE, by definition. Only NS, A & AAAA can be GLUE

james-stevens avatar Jul 07 '20 17:07 james-stevens

Thanks, I was putting "glue" in quotes for this reason, JJ used the term in the code to refer to data that belongs to the target of a CNAME (i.e. it is returned like the A records that get glued to an NS record)

pinheadmz avatar Jul 07 '20 17:07 pinheadmz

LGTM

EDIT: NVM, I found the Handshake fork.

NetOpWibby avatar Jul 28 '21 07:07 NetOpWibby

This is nice! What's the status?

lukeburns avatar Mar 18 '22 18:03 lukeburns

Status: needs review. I've learned a lot more about DNS since I wrote this PR and probably need to make sure it all still makes sense. This branch is included in handout.

pinheadmz avatar Mar 18 '22 18:03 pinheadmz