[Dnsmasq-discuss] [PATCH] Report filtered A or AAAA records via EDE code

Petr Menšík pemensik at redhat.com
Thu Mar 16 20:58:20 UTC 2023 

Hi!

I have raised filtering topic on DNS-OARC chat. One of proposals were to 
mark at least filtered records by EDE status, which current dnsmasq 
supports already. I like it. We create fake answer on when --filter-A or 
--filter-AAAA options is used. It should be marked somehow.

There is also proposal for more verbose error and contact information 
[1], but at least marking the response somehow synthetized is a good 
start. I attached a change to rrfilter to report number of modified 
records. Then it marks any filtered response with Filtered EDE code. I 
expect the same should be possible for any other record type filtered, 
except EDNS0 and DNSSEC records.

Credits for the idea goes to Vladimír Čunát. It might allow potential 
DNSSEC validator to not emit SERVFAIL on bogus answer we made. If that 
would trust our response for any reason.

What do you think?

By the way, maybe we should strip also RRSIG for those records if 
present. It looks like a bug to me. But would not make validating 
resolvers more happy anyway.

; <<>> DiG 9.18.12 <<>> -4 @localhost -p 2053 example.org a +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21029
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1220
; COOKIE: b2ad85a9275d948e02176a79641381dce6990a257f089ec5 (good)
; EDE: 17 (Filtered)
;; QUESTION SECTION:
;example.org.            IN    A

;; ANSWER SECTION:
example.org.        32748    IN    RRSIG    A 8 2 86400 20230323193411 
20230302075235 43798 example.org. 
QwrK73kR5vStRzG6IPOpYU2exzSIOatl1p8DffKi4PP2Ig8yAL43AhVu 
2bsA0I0EFINH3xvF2IiM7eyR/fMm8rfeAsG1pokOFOOhlYQQHhglgfu6 
mgNJnFrHUs3M+JNBNyAay42aSSDt5gXcvk77nx32uWv40pfknU7wH2Xc rP4=

[1] https://datatracker.ietf.org/doc/draft-ietf-dnsop-structured-dns-error/

-- 
Petr Menšík
Software Engineer, RHEL
Red Hat, http://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Report-number-of-modified-records-from-rrfilter.patch
Type: text/x-patch
Size: 7289 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20230316/2913fdd7/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x4931CA5B6C9FC5CB.asc
Type: application/pgp-keys
Size: 4560 bytes
Desc: OpenPGP public key
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20230316/2913fdd7/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20230316/2913fdd7/attachment-0001.sig>

More information about the Dnsmasq-discuss mailing list