Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extended DNS Errors a la RFC8914 #504

Open
wants to merge 69 commits into
base: master
Choose a base branch
from
Open

Extended DNS Errors a la RFC8914 #504

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
69 commits
Select commit Hold shift + click to select a range
285f93f
Add EDE EDNS0 Option code
wtoorop Jun 24, 2021
a8d78b2
Simple EDE example
wtoorop Jun 24, 2021
4049885
add locations for EDE errors
Aug 13, 2021
0703a38
Fix: use EDE codes with EDNS_OPT_APPEND_EDE
Aug 16, 2021
eac4eb3
Return EDE_DNSSEC_BOGUS when returning bogus answers
Aug 16, 2021
6b5f314
Show reason when returning EDE_DNSSEC_BOGUS
Aug 16, 2021
a9e6f6b
add variable bogus reason
Aug 17, 2021
b3f60db
add local anwser blocked
Aug 19, 2021
935634d
Revert "add local anwser blocked"
Aug 19, 2021
5fff0f7
Fix dont echo edns0 option list ...
Aug 19, 2021
a986597
EDE Blocked with local-zone refused answers
Aug 19, 2021
d9a947f
Merge branch 'master' into features/rfc8914-ede
Aug 20, 2021
ec4cf69
set up for tpkg test
Aug 23, 2021
fba1c30
add localzones test
Aug 23, 2021
33445be
add setup of RPZ and full tests of earlier implemented EDEs
Aug 31, 2021
7079f0b
add ede to always_refuse and always_null
Sep 6, 2021
9df75a8
add DNSSEC indeterminate EDE and DNAME expansion test
Sep 8, 2021
2360120
add mesh bogus test, possible locations for more EDE and remove super…
Sep 13, 2021
a664e8c
First step towards specific EDE DNSSEC errors
Sep 14, 2021
3576033
add possible EDE spots
Sep 15, 2021
5617de6
Answer LDNS_EDE_RRSIGS_MISSING for normal answers with missing signat…
Sep 15, 2021
4d15603
add routine to do EDE on ACL blocked messages
Sep 20, 2021
65852bc
Merge branch 'features/rfc8914-ede' of github.com:NLnetLabs/unbound i…
Sep 20, 2021
4df2965
add forgotten compile error fixes from previous commit
Sep 20, 2021
b606c82
Merge branch 'features/rfc8914-ede' of github.com:NLnetLabs/unbound i…
Sep 20, 2021
0b376cc
add routine to add EDE to ACL:refused at correct location
Sep 27, 2021
84da240
change strncpy to memmove at @wcawijngaards' suggestion
Sep 28, 2021
732ad94
process @wcawijngaards' comments
Sep 28, 2021
42ba5ae
process @wcawijngaards' comments v2
Sep 28, 2021
3ba8ea3
fix CH class response
Sep 28, 2021
320aa64
add QDCOUNT=0 to CHAOS query in ACL
Sep 29, 2021
7df2df0
add EDE response to autotrust_init_fail test
Sep 30, 2021
c42c2cb
add EDE response to autotrust_init_failsig test
Sep 30, 2021
86e8050
add EDE responses to unittests
Oct 1, 2021
8a6b3f0
add DNSKEY EDE code
Oct 8, 2021
b825bb6
add more tests
Oct 8, 2021
d2a719f
add test setup for DNSSEC EDEs
Oct 13, 2021
9bff0b9
- Introduce 'ede=<info-code>' and 'all_noedns' as options in the MATC…
gthess Oct 13, 2021
f7bb7f2
Merge branch 'features/rfc8914-ede' of github.com:NLnetLabs/unbound i…
gthess Oct 13, 2021
abd948f
change unittests to match just the ede code
Oct 13, 2021
fed0fb4
- Fix testcode, 0 is a valid EDE INFO-CODE.
gthess Oct 14, 2021
df984d9
add dnssec ede tests
Oct 18, 2021
0eba781
make local_data ede inclusion configurable, rewrite local_error_encod…
Nov 10, 2021
787d7a5
Merge branch 'master' into features/rfc8914-ede
Nov 15, 2021
f22e42f
Fix merge bugs
Nov 15, 2021
a3171a1
remove superfluous EDE left over from merge
Nov 16, 2021
4a43aee
setup for configurable EDEs for local-zone
Nov 16, 2021
0747d01
add missing parsing
Nov 16, 2021
0572870
change do_ede to be local-zone specific and add places for more EDE c…
Nov 19, 2021
575a686
add forgotten autogenerated files
Nov 19, 2021
7926874
add config option for global EDE flag, local-zone specific EDE flag a…
Nov 26, 2021
ff356b9
add error in case of incorrect string for local-zone-default-ede
Nov 26, 2021
3ccb4c6
change local-zone-default-ede keywords to '-', add missing {}, and ad…
Nov 30, 2021
db98a8b
add ede-local-zones in the manpage and update the iana_ports.inc for …
Nov 30, 2021
65ee2f2
finish up adding validator EDEs and other TODOs and fix tests with mo…
Dec 6, 2021
63e6604
add config options to test conf, fix local-zone EDE printing logic, a…
Dec 7, 2021
dc38aac
expand ede.tdir to do validator test for DNSKEY, RRSIG and NSEC missing
Dec 15, 2021
ea1a5f3
add todo for tests and fix EDE codes for DNSKEY missing
Dec 15, 2021
4f37d64
fix DNSSEC nsec-failure test
Dec 15, 2021
df229db
Merge branch 'master' into features/rfc8914-ede
TCY16 Dec 15, 2021
05e06fd
fix rpl tests
Dec 15, 2021
7902448
Document how the log-val-level: config options influences the returne…
Dec 16, 2021
fe8ef6e
add logic for per zone EDE for RPZ and configurable rpz-do-ede
Dec 21, 2021
94f04a7
remove superfluous linebreaks
Dec 21, 2021
49f2960
add remote control options for local-zone and RPZ do_ede
Dec 22, 2021
69e188b
fix missing disable in remote-control local_zone do_ede and typos
Dec 22, 2021
80957b6
remove debug line
Jan 10, 2022
9ae988c
Merge branch 'master' into review-rfc8914-ede
wtoorop Jan 11, 2022
8c96e26
modify tdir to ignore localzone tests
Jan 13, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 34 additions & 1 deletion daemon/worker.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -485,6 +485,8 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,
msg->rep, LDNS_RCODE_SERVFAIL, edns, repinfo, worker->scratchpad,
worker->env.now_tv))
return 0;
EDNS_OPT_APPEND_EDE(edns, worker->scratchpad,
LDNS_EDE_DNSSEC_BOGUS, "");
error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL,
&msg->qinfo, id, flags, edns);
if(worker->stats.extended) {
Expand Down Expand Up @@ -659,6 +661,8 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
LDNS_RCODE_SERVFAIL, edns, repinfo, worker->scratchpad,
worker->env.now_tv))
goto bail_out;
EDNS_OPT_APPEND_EDE(edns, worker->scratchpad,
LDNS_EDE_DNSSEC_BOGUS, "");
error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL,
qinfo, id, flags, edns);
rrset_array_unlock_touch(worker->env.rrset_cache,
Expand Down Expand Up @@ -1290,6 +1294,8 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
edns.udp_size = EDNS_ADVERTISED_SIZE;
edns.bits &= EDNS_DO;
edns.opt_list = NULL;
EDNS_OPT_APPEND_EDE(&edns, worker->scratchpad,
LDNS_EDE_OTHER, "query with bad edns keepalive");
verbose(VERB_ALGO, "query with bad edns keepalive.");
log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
error_encode(c->buffer, LDNS_RCODE_FORMERR, &qinfo,
Expand Down Expand Up @@ -1402,12 +1408,23 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
* ACLs allow the snooping. */
if(!(LDNS_RD_WIRE(sldns_buffer_begin(c->buffer))) &&
acl != acl_allow_snoop ) {



// @TODO ADD Error Code 20 - Not Authoritative
// @TODO add EDNS record

EDNS_OPT_APPEND_EDE(&edns, worker->scratchpad,
LDNS_EDE_NOT_AUTHORITATIVE, "Not Authoritative");


error_encode(c->buffer, LDNS_RCODE_REFUSED, &qinfo,
*(uint16_t*)(void *)sldns_buffer_begin(c->buffer),
sldns_buffer_read_u16_at(c->buffer, 2), NULL);
sldns_buffer_read_u16_at(c->buffer, 2), &edns);
regional_free_all(worker->scratchpad);
log_addr(VERB_ALGO, "refused nonrec (cache snoop) query from",
&repinfo->addr, repinfo->addrlen);

goto send_reply;
}

Expand Down Expand Up @@ -1480,10 +1497,23 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
< *worker->env.now)
leeway = 0;
lock_rw_unlock(&e->lock);

// // stale answer?
// if (worker->env.cfg->serve_expired &&
// *worker->env.now >= ((struct reply_info*)e->data)->ttl) {
// // EDE Error Code 3 - Stale Answer
// EDNS_OPT_APPEND_EDE(&edns, worker->scratchpad,
// LDNS_EDE_STALE_ANSWER, "");
// }

// add EDNS struct?
reply_and_prefetch(worker, lookup_qinfo,
sldns_buffer_read_u16_at(c->buffer, 2),
repinfo, leeway,
(partial_rep || need_drop));



if(!partial_rep) {
rc = 0;
regional_free_all(worker->scratchpad);
Expand Down Expand Up @@ -1520,6 +1550,9 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
verbose(VERB_ALGO, "answer from the cache failed");
lock_rw_unlock(&e->lock);
}

// @TODO Extended DNS Error Code 13 - Cached Error? place not clear

if(!LDNS_RD_WIRE(sldns_buffer_begin(c->buffer))) {
if(answer_norec_from_cache(worker, &qinfo,
*(uint16_t*)(void *)sldns_buffer_begin(c->buffer),
Expand Down
14 changes: 14 additions & 0 deletions services/mesh.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1271,6 +1271,20 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
&r->edns, &r->query_reply, m->s.region, &r->start_time))
r->edns.opt_list = NULL;
}
/* Send along EDE BOGUS EDNS0 option when answer is bogus */
if(rcode == LDNS_RCODE_SERVFAIL &&
m->s.env->need_to_validate && (!(r->qflags&BIT_CD) ||
m->s.env->cfg->ignore_cd) && rep &&
(rep->security <= sec_status_bogus ||
rep->security == sec_status_secure_sentinel_fail)) {

char *reason = m->s.env->cfg->val_log_level >= 2
? errinf_to_str_bogus(&m->s) : NULL;

edns_opt_append_ede(&r->edns, m->s.region,
LDNS_EDE_DNSSEC_BOGUS, reason);
free(reason);
}
error_encode(r_buffer, rcode, &m->s.qinfo, r->qid,
r->qflags, &r->edns);
m->reply_list = NULL;
Expand Down
2 changes: 2 additions & 0 deletions services/rpz.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1037,6 +1037,8 @@ rpz_apply_qname_trigger(struct auth_zones* az, struct module_env* env,
return 0;
}


// @TODO: Find out if it's local answer of blocked; if blocked then EDE: blocked
if(lzt == local_zone_redirect && local_data_answer(z, env, qinfo,
edns, repinfo, buf, temp, dname_count_labels(qinfo->qname),
&ld, lzt, -1, NULL, 0, NULL, 0)) {
Expand Down
31 changes: 31 additions & 0 deletions sldns/rrdef.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -428,10 +428,41 @@ enum sldns_enum_edns_option
LDNS_EDNS_CLIENT_SUBNET = 8, /* RFC7871 */
LDNS_EDNS_KEEPALIVE = 11, /* draft-ietf-dnsop-edns-tcp-keepalive*/
LDNS_EDNS_PADDING = 12, /* RFC7830 */
LDNS_EDNS_EDE = 15, /* RFC8914 */
LDNS_EDNS_CLIENT_TAG = 16 /* draft-bellis-dnsop-edns-tags-01 */
};
typedef enum sldns_enum_edns_option sldns_edns_option;

enum sldns_enum_ede_code
{
LDNS_EDE_OTHER = 0,
LDNS_EDE_UNSUPPORTED_DNSKEY_ALG = 1,
LDNS_EDE_UNSUPPORTED_DS_DIGEST = 2,
LDNS_EDE_STALE_ANSWER = 3,
LDNS_EDE_FORGED_ANSWER = 4,
LDNS_EDE_DNSSEC_INDETERMINATE = 5,
LDNS_EDE_DNSSEC_BOGUS = 6,
LDNS_EDE_SIGNATURE_EXPIRED = 7,
LDNS_EDE_SIGNATURE_NOT_YET_VALID = 8,
LDNS_EDE_DNSKEY_MISSING = 9,
LDNS_EDE_RRSIGS_MISSING = 10,
LDNS_EDE_NO_ZONE_KEY_BIT_SET = 11,
LDNS_EDE_NSEC_MISSING = 12,
LDNS_EDE_CACHED_ERROR = 13,
LDNS_EDE_NOT_READY = 14,
LDNS_EDE_BLOCKED = 15,
LDNS_EDE_CENSORED = 16,
LDNS_EDE_FILTERED = 17,
LDNS_EDE_PROHIBITED = 18,
LDNS_EDE_STALE_NXDOMAIN_ANSWER = 19,
LDNS_EDE_NOT_AUTHORITATIVE = 20,
LDNS_EDE_NOT_SUPPORTED = 21,
LDNS_EDE_NO_REACHABLE_AUTHORITY = 22,
LDNS_EDE_NETWORK_ERROR = 23,
LDNS_EDE_INVALID_DATA = 24
};
typedef enum sldns_enum_ede_code sldns_ede_code;

#define LDNS_EDNS_MASK_DO_BIT 0x8000

/** TSIG and TKEY extended rcodes (16bit), 0-15 are the normal rcodes. */
Expand Down
29 changes: 29 additions & 0 deletions util/data/msgreply.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -988,6 +988,35 @@ int edns_opt_append(struct edns_data* edns, struct regional* region,
return 1;
}

int edns_opt_append_ede(struct edns_data* edns, struct regional* region,
sldns_ede_code code, const char *txt)
{
struct edns_option** prevp;
struct edns_option* opt;
size_t txt_len = txt ? strlen(txt) : 0;

/* allocate new element */
opt = (struct edns_option*)regional_alloc(region, sizeof(*opt));
if(!opt)
return 0;
opt->next = NULL;
opt->opt_code = LDNS_EDNS_EDE;
opt->opt_len = txt_len + sizeof(uint16_t);
opt->opt_data = regional_alloc(region, txt_len + sizeof(uint16_t));
if(!opt->opt_data)
return 0;
sldns_write_uint16(opt->opt_data, (uint16_t)code);
if (txt_len)
strncpy(opt->opt_data + 2, txt, txt_len);
TCY16 marked this conversation as resolved.
Show resolved Hide resolved

/* append at end of list */
prevp = &edns->opt_list;
while(*prevp != NULL)
prevp = &((*prevp)->next);
*prevp = opt;
return 1;
}

int edns_opt_list_append(struct edns_option** list, uint16_t code, size_t len,
uint8_t* data, struct regional* region)
{
Expand Down
30 changes: 30 additions & 0 deletions util/data/msgreply.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@
#define UTIL_DATA_MSGREPLY_H
#include "util/storage/lruhash.h"
#include "util/data/packed_rrset.h"
#include "sldns/rrdef.h"
struct sldns_buffer;
struct comm_reply;
struct alloc_cache;
Expand Down Expand Up @@ -515,6 +516,35 @@ void log_query_info(enum verbosity_value v, const char* str,
int edns_opt_append(struct edns_data* edns, struct regional* region,
uint16_t code, size_t len, uint8_t* data);

/**
* Append edns EDE option to edns options list
* @param EDNS: the edns data structure to append the edns option to.
* @param REGION: region to allocate the new edns option.
* @param CODE: the EDE code.
* @param TXT: Additional text for the option
*/
#define EDNS_OPT_APPEND_EDE(EDNS, REGION, CODE, TXT) \
do { \
struct { \
uint16_t code; \
char text[sizeof(TXT) - 1]; \
} ede = { htons(CODE), TXT }; \
edns_opt_append((EDNS), (REGION), LDNS_EDNS_EDE, \
sizeof(uint16_t) + sizeof(TXT) - 1, \
(void *)&ede); \
} while(0)

/**
* Append edns EDE option to edns options list
* @param edns: the edns data structure to append the edns option to.
* @param region: region to allocate the new edns option.
* @param code: the EDE code.
* @param txt: Additional text for the option
* @return false on failure.
*/
int edns_opt_append_ede(struct edns_data* edns, struct regional* region,
sldns_ede_code code, const char *txt);

/**
* Append edns option to edns option list
* @param list: the edns option list to append the edns option to.
Expand Down