search

kazu-yamamoto / dnsext

Extensible DNS libraries written purely in Haskell
59 stars 3 forks source link

CD (Check-Disabled) flag support #177

Closed khibino closed 4 months ago

khibino commented 4 months ago

+cdflag causes iterative searches without DNSSEC validation. bowline cache will now take the +cdflag into account.

 % dug -i -v 1 brokendnssec.net.
resolve-with-cname: query: "brokendnssec.net." A IN
resolve-with-cname: query:   DO: NoDnssecOK
resolve-with-cname: query:   CD: NoCheckDisabled
resolve-with-cname: query:   AD: NoAuthenticatedData
...
no delegation: "cloudflare.com." -> "cruz.ns.cloudflare.com."
resolve-exact: query ("cruz.ns.cloudflare.com.",AAAA) servers: (162.159.4.8,53) (162.159.6.6,53) (2400:cb00:2049:1::a29f:30b,53) (2400:cb00:2049:1::a29f:506,53)
    query "cruz.ns.cloudflare.com." AAAA to 162.159.4.8#53/UDP
    query "cruz.ns.cloudflare.com." AAAA to 162.159.6.6#53/UDP
    query "cruz.ns.cloudflare.com." AAAA to 2400:cb00:2049:1::a29f:30b#53/UDP
    query "cruz.ns.cloudflare.com." AAAA to 2400:cb00:2049:1::a29f:506#53/UDP
    query "cruz.ns.cloudflare.com." AAAA to 162.159.4.8#53/UDP: win
verification success - RRSIG of "cruz.ns.cloudflare.com." AAAA
fillDelegationDNSKEY: query ("brokendnssec.net.",DNSKEY) servers: (2606:4700:50::adf5:3a58,53)
    query "brokendnssec.net." DNSKEY to 2606:4700:50::adf5:3a58#53/UDP
fillDelegationDNSKEY: sepkeyDS: no DNSKEY matches with DS
fillsDNSSEC: "brokendnssec.net.": DS is 'chained'-state, and DNSKEY is null
"brokendnssec.net.": verification error. dangling DS chain. DS exists, and DNSKEY does not exists
;; HEADER SECTION:
;Standard query, ServFail, id: 0
;Flags: Recursion Desired, Recursion Available

;; QUESTION SECTION:
;brokendnssec.net.      IN  A

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; 253usec
 % dug -i -v 1 brokendnssec.net. +cdflag
resolve-with-cname: query: "brokendnssec.net." A IN
resolve-with-cname: query:   DO: NoDnssecOK
resolve-with-cname: query:   CD: CheckDisabled
resolve-with-cname: query:   AD: NoAuthenticatedData
...
no delegation: "cloudflare.com." -> "carl.ns.cloudflare.com."
resolve-exact: query ("carl.ns.cloudflare.com.",AAAA) servers: (2400:cb00:2049:1::a29f:21,53) (2400:cb00:2049:1::a29f:408,53) (2400:cb00:2049:1::a29f:606,53) (2400:cb00:2049:1::a29f:7e2,53)
    query "carl.ns.cloudflare.com." AAAA to 2400:cb00:2049:1::a29f:21#53/UDP
    query "carl.ns.cloudflare.com." AAAA to 2400:cb00:2049:1::a29f:408#53/UDP
    query "carl.ns.cloudflare.com." AAAA to 2400:cb00:2049:1::a29f:606#53/UDP
    query "carl.ns.cloudflare.com." AAAA to 2400:cb00:2049:1::a29f:7e2#53/UDP
    query "carl.ns.cloudflare.com." AAAA to 2400:cb00:2049:1::a29f:21#53/UDP: win
no verification - no DS, "carl.ns.cloudflare.com." AAAA
resolve-exact: query ("brokendnssec.net.",A) servers: (2606:4700:58::adf5:3b6a,53)
    query "brokendnssec.net." A to 2606:4700:58::adf5:3b6a#53/UDP
no verification - no DS, "brokendnssec.net." A
;; HEADER SECTION:
;Standard query, NoError, id: 0
;Flags: Recursion Desired, Recursion Available

;; QUESTION SECTION:
;brokendnssec.net.      IN  A

;; ANSWER SECTION:
brokendnssec.net.   300(5 mins) IN  A   104.22.48.232
brokendnssec.net.   300(5 mins) IN  A   104.22.49.232
brokendnssec.net.   300(5 mins) IN  A   172.67.29.10

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; 182usec

 % dug -i -v 1 iij.ad.jp.
resolve-with-cname: query: "iij.ad.jp." A IN
resolve-with-cname: query:   DO: NoDnssecOK
resolve-with-cname: query:   CD: NoCheckDisabled
resolve-with-cname: query:   AD: NoAuthenticatedData
...
delegation - verification success - RRSIG of DS: "jp." -> "iij.ad.jp."
zone: "iij.ad.jp.":
    "dns0.iij.ad.jp." 210.130.0.5@53, 2001:240::105@53
    "dns1.iij.ad.jp." 210.130.1.5@53, 2001:240::115@53
fillDelegationDNSKEY: query ("iij.ad.jp.",DNSKEY) servers: (2001:240::105,53) (2001:240::115,53)
    query "iij.ad.jp." DNSKEY to 2001:240::105#53/UDP
    query "iij.ad.jp." DNSKEY to 2001:240::115#53/UDP
    query "iij.ad.jp." DNSKEY to 2001:240::105#53/UDP: win
resolve-exact: query ("iij.ad.jp.",A) servers: (2001:240::105,53) (2001:240::115,53)
    query "iij.ad.jp." A to 2001:240::105#53/UDP
    query "iij.ad.jp." A to 2001:240::115#53/UDP
    query "iij.ad.jp." A to 2001:240::115#53/UDP: win
verification success - RRSIG of "iij.ad.jp." A
;; HEADER SECTION:
;Standard query, NoError, id: 0
;Flags: Recursion Desired, Recursion Available

;; QUESTION SECTION:
;iij.ad.jp.     IN  A

;; ANSWER SECTION:
iij.ad.jp.  300(5 mins) IN  A   202.232.2.191

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; 70usec
 % dug -i -v 1 iij.ad.jp. +cdflag
resolve-with-cname: query: "iij.ad.jp." A IN
resolve-with-cname: query:   DO: NoDnssecOK
resolve-with-cname: query:   CD: CheckDisabled
resolve-with-cname: query:   AD: NoAuthenticatedData
...
delegation - no DS, check disabled: "jp." -> "iij.ad.jp."
zone: "iij.ad.jp.":
    "dns0.iij.ad.jp." 210.130.0.5@53, 2001:240::105@53
    "dns1.iij.ad.jp." 210.130.1.5@53, 2001:240::115@53
resolve-exact: query ("iij.ad.jp.",A) servers: (210.130.1.5,53) (2001:240::105,53)
    query "iij.ad.jp." A to 210.130.1.5#53/UDP
    query "iij.ad.jp." A to 2001:240::105#53/UDP
    query "iij.ad.jp." A to 210.130.1.5#53/UDP: win
no verification - no DS, "iij.ad.jp." A
;; HEADER SECTION:
;Standard query, NoError, id: 0
;Flags: Recursion Desired, Recursion Available

;; QUESTION SECTION:
;iij.ad.jp.     IN  A

;; ANSWER SECTION:
iij.ad.jp.  300(5 mins) IN  A   202.232.2.191

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; 99usec