[Dnsmasq-discuss] [PATCH] Report filtered A or AAAA records via EDE code

Simon Kelley simon at thekelleys.org.uk
Fri Mar 17 18:08:49 UTC 2023 

I think that looks like a sensible change. I'm slightly worried about 
the definition of EDE_FILTERED

4.18. Extended DNS Error Code 17 - Filtered
     The server is unable to respond to the request because the domain is
     on a blocklist as requested by the client. Functionally, this
     amounts to "you requested that we filter domains like this one."

Which talks about domains and not RRtypes. You can imagine a client 
noting that a domain is filtered and not sending other queries for the 
domain, when in this case they are fine, it's the RRtype which is being 
filtered.


Simon.


On 16/03/2023 20:58, Petr Menšík wrote:
> Hi!
> 
> I have raised filtering topic on DNS-OARC chat. One of proposals were to 
> mark at least filtered records by EDE status, which current dnsmasq 
> supports already. I like it. We create fake answer on when --filter-A or 
> --filter-AAAA options is used. It should be marked somehow.
> 
> There is also proposal for more verbose error and contact information 
> [1], but at least marking the response somehow synthetized is a good 
> start. I attached a change to rrfilter to report number of modified 
> records. Then it marks any filtered response with Filtered EDE code. I 
> expect the same should be possible for any other record type filtered, 
> except EDNS0 and DNSSEC records.
> 
> Credits for the idea goes to Vladimír Čunát. It might allow potential 
> DNSSEC validator to not emit SERVFAIL on bogus answer we made. If that 
> would trust our response for any reason.
> 
> What do you think?
> 
> By the way, maybe we should strip also RRSIG for those records if 
> present. It looks like a bug to me. But would not make validating 
> resolvers more happy anyway.
> 
> ; <<>> DiG 9.18.12 <<>> -4 @localhost -p 2053 example.org a +dnssec
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21029
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 1220
> ; COOKIE: b2ad85a9275d948e02176a79641381dce6990a257f089ec5 (good)
> ; EDE: 17 (Filtered)
> ;; QUESTION SECTION:
> ;example.org.            IN    A
> 
> ;; ANSWER SECTION:
> example.org.        32748    IN    RRSIG    A 8 2 86400 20230323193411 
> 20230302075235 43798 example.org. 
> QwrK73kR5vStRzG6IPOpYU2exzSIOatl1p8DffKi4PP2Ig8yAL43AhVu 
> 2bsA0I0EFINH3xvF2IiM7eyR/fMm8rfeAsG1pokOFOOhlYQQHhglgfu6 
> mgNJnFrHUs3M+JNBNyAay42aSSDt5gXcvk77nx32uWv40pfknU7wH2Xc rP4=
> 
> [1] https://datatracker.ietf.org/doc/draft-ietf-dnsop-structured-dns-error/
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

More information about the Dnsmasq-discuss mailing list