[Dnsmasq-discuss] [PATCH] Add EDE status "no matching key found"

Simon Kelley simon at thekelleys.org.uk
Tue Jul 6 22:05:03 UTC 2021


On 27/06/2021 12:35, Dominik DL6ER wrote:
> Hey Simon,
> 
> I tried your recent extended DNS errors (EDE) addition. I tested the
> following well-know DNSSEC testing domains:
> 
> - dnssec-failed.org: "BOGUS (EDE: DNSKEY missing)"
> - rhybar.cz: "BOGUS (EDE: DNSSEC signature expired)"
> - sigfail.verteiltesysteme.net: "BOGUS"
> 
> Interestingly, sigfail.verteiltesysteme.net did not show any additional
> information added to the BOGUS result. The validation failed here
> because none of the DNSKEY records validate the A RRset.
> 
> My patch extends the EDE facility you implemented to allow for
> additional errors not standardized in RFC 8914. This may be handy in
> other places of the DNSSEC validation process, too. I could imagine
> extending this further by, e.g., "bad packet" or "upstream SERVFAIL"
> errors.
> 
> Before: 
>> query[A] sigfail.verteiltesysteme.net from 127.0.0.1
>> forwarded sigfail.verteiltesysteme.net to 127.0.0.1
>> validation result is BOGUS
> 
> New:
>> query[A] sigfail.verteiltesysteme.net from 127.0.0.1
>> forwarded sigfail.verteiltesysteme.net to 127.0.0.1
>> validation result is BOGUS (EDE: no matching key found)
> 
> This dnsmasq-internal EDE is not sent to clients. It may be debated if
> this is intended. Following RFC 8914, Sec. 4.1, they can be included as
> EXTRA-TEXT for EDE code 0. This is not included in this patch but could
> be easily added in a follow-up.
> 

I wonder, is this situation already covered by EDE_NO_DNSKEY - EDE 9

>From RFC-8914:

   Extended DNS Error Code 9 - DNSKEY Missing

   A DS record existed at a parent, but no supported matching DNSKEY
   record could be found for the child.


Note the word "matching" in the definition.

Good to catch this situation, but I'm not sure we need to invent a new
error.

Cheers,

Simon.





More information about the Dnsmasq-discuss mailing list