[Dnsmasq-discuss] [PATCH] Add EDE status "no matching key found"
Dominik DL6ER
dl6er at dl6er.de
Sun Jun 27 11:35:31 UTC 2021
Hey Simon,
I tried your recent extended DNS errors (EDE) addition. I tested the
following well-know DNSSEC testing domains:
- dnssec-failed.org: "BOGUS (EDE: DNSKEY missing)"
- rhybar.cz: "BOGUS (EDE: DNSSEC signature expired)"
- sigfail.verteiltesysteme.net: "BOGUS"
Interestingly, sigfail.verteiltesysteme.net did not show any additional
information added to the BOGUS result. The validation failed here
because none of the DNSKEY records validate the A RRset.
My patch extends the EDE facility you implemented to allow for
additional errors not standardized in RFC 8914. This may be handy in
other places of the DNSSEC validation process, too. I could imagine
extending this further by, e.g., "bad packet" or "upstream SERVFAIL"
errors.
Before:
> query[A] sigfail.verteiltesysteme.net from 127.0.0.1
> forwarded sigfail.verteiltesysteme.net to 127.0.0.1
> validation result is BOGUS
New:
> query[A] sigfail.verteiltesysteme.net from 127.0.0.1
> forwarded sigfail.verteiltesysteme.net to 127.0.0.1
> validation result is BOGUS (EDE: no matching key found)
This dnsmasq-internal EDE is not sent to clients. It may be debated if
this is intended. Following RFC 8914, Sec. 4.1, they can be included as
EXTRA-TEXT for EDE code 0. This is not included in this patch but could
be easily added in a follow-up.
Best,
Dominik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Add-extended-DNS-error-message-in-case-no-varifying-.patch
Type: text/x-patch
Size: 5023 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20210627/2736d3ea/attachment-0001.bin>
More information about the Dnsmasq-discuss
mailing list