Fix EDNS behavior for queries #1147
Conversation
tgreenx
added
T-Bug
tgreenx
requested review from
mattias-p,
matsduf,
hannaeko,
a user and
marc-vanderwal
@matsduf I included this change initally but now I removed it because I am not entirely sure if it is needed. Looking at specifications, Nameserver02 is testing whether OPT records are present in responses of EDNS queries (" |
|
@vlevigneron Some unitary tests in |
Do I understand it correctly that that some queries were meant to be EDNS queries but were sent as non-EDNS queries? |
Yes, in Nameserver10 if a server does not respond properly to EDNS vers 0 queries they should just be ignored.
The DNSQueryAndResponseDefaults.md applies to all specifications that have been updated to refer to it. The idea is that we should not report the same problem i several test cases. If a server cannot handle EDNS at all, then only Nameserver02 should report that. |
Yes that's right, in Nameserver10. |
|
@mattias-p @matsduf please re-review. |
|
Issue has been identified (checking with |
|
After reconsideration, this proves too much of a hassle to update all unitary tests data files. Another good reason to move to the upcoming zonemaster/zonemaster#1113. I went with the less elegant solution, that doesn't impact the query cache. |
|
@matsduf @mattias-p please re-review |
|
Unitary tests will need another pass as my machine didn't have an IPv6 connectivity |
There is really no reason to have
The same thing here, the DO setting must be under the control of the test case. I suggest that this PR deprecates those two profile settings. Keep them, but make it impossible to change the default values ("dnssec" : false, "edns_size" : 0) via profile setting. Then remove them completely in v2023.2. |
Done, both settings are now effectively useless when set in the profile. See commit b1fe3ee. I also rebased on latest develop. |
lib/Zonemaster/Engine/Constants.pm
Outdated
| @@ -282,6 +284,12 @@ C<$UDP_PAYLOAD_LIMIT> | |||
|
|
|||
| =item * | |||
|
|
|||
| C<$UDP_EDNS_PAYLOAD_LIMIT> | |||
|
|
|||
| The EDNS0 UDP maximum size. | |||
There was a problem hiding this comment.
I don’t quite get the difference between UDP_PAYLOAD_LIMIT, UDP_EDNS_PAYLOAD_LIMIT and UDP_COMMON_EDNS_LIMIT from reading this file. Can you elaborate, and document those two other constants as well?
There was a problem hiding this comment.
From the value, UDP_EDNS_PAYLOAD_LIMIT is the lowest value of UDP payload in EDNS. If lower, it must be treated as 512. UDP_EDNS_PAYLOAD_MIN is maybe a better name? There is also a maximum value. Should that be considered?
There was a problem hiding this comment.
UDP_PAYLOAD_LIMIT is not used to check incoming DNS packets, but only used in DELEGATION03 to check if a constructed packet with the assumed referral for the domain name would exceed 512 Bytes or not.
UDP_COMMON_EDNS_LIMIT is used to generate a message out of test case if the packet data is larger than UDP_COMMON_EDNS_LIMIT (as defined above) which feels quite arbitrarily. There are two sizes that could be valid to react on:
- Larger than the value set in the query. That is not permitted.
- Larger than 1232 because the greatly increases the risk of fragmented UDP.
The new UDP_EDNS_PAYLOAD_LIMIT is used as the UDP size setting in the default query. I suggest the name UDP_EDNS_QUERY_DEFAULT or something like that.
There was a problem hiding this comment.
The new UDP_EDNS_PAYLOAD_LIMIT is used as the UDP size setting in the default query. I suggest the name UDP_EDNS_QUERY_DEFAULT or something like that.
That works for me. Updated.
lib/Zonemaster/Engine/Constants.pm
Outdated
| @@ -282,6 +284,12 @@ C<$UDP_PAYLOAD_LIMIT> | |||
|
|
|||
| =item * | |||
|
|
|||
| C<$UDP_EDNS_PAYLOAD_LIMIT> | |||
|
|
|||
| The EDNS0 UDP maximum size. | |||
There was a problem hiding this comment.
UDP_PAYLOAD_LIMIT is not used to check incoming DNS packets, but only used in DELEGATION03 to check if a constructed packet with the assumed referral for the domain name would exceed 512 Bytes or not.
UDP_COMMON_EDNS_LIMIT is used to generate a message out of test case if the packet data is larger than UDP_COMMON_EDNS_LIMIT (as defined above) which feels quite arbitrarily. There are two sizes that could be valid to react on:
- Larger than the value set in the query. That is not permitted.
- Larger than 1232 because the greatly increases the risk of fragmented UDP.
The new UDP_EDNS_PAYLOAD_LIMIT is used as the UDP size setting in the default query. I suggest the name UDP_EDNS_QUERY_DEFAULT or something like that.
lib/Zonemaster/Engine/Nameserver.pm
Outdated
| Set the DO flag in the query. | ||
| Set the DO flag in the query. Defaults to false. | ||
|
|
||
| Enables the query to be an EDNS query if set to true. |
There was a problem hiding this comment.
Unclear. Should it say that EDNS is automatically enabled if the DO flag is set?
There was a problem hiding this comment.
Yes - is that not what this sentence says? Otherwise I can rephrase, e.g. "If set to true, enables the query to be an EDNS query", or something entirely different. I have used this wording for all the documentation here.
There was a problem hiding this comment.
I think the sentence starting with "if set to true" is easier to read.
|
@tgreenx, what is the status of this PR? |
- EDNS handling has been updated - the main issue was that setting only the version of EDNS would not enable EDNS
queries. Some refactoring as well in that regard.
- Default EDNS packet size has been updated to 512 in profile.pm, as per the specification (DNSQueryAndResponseDefaults.md).
- Some test cases in Test/Nameserver.pm were not checking if the OPT record was present in the responses to EDNS
queries (default behavior as per the same specification).
- Unitary tests updated accordingly.
Revert Test Case checks for OPT record in EDNS responses
Fixes EDNS behavior for non EDNS queries
Add resolver.defaults.edns_size documentation in Profile.pm
Refactoring.
EDNS queries will now be correctly enabled using any "edns_details" parameters ("version", "z", "do", "udp_size", etc)..
Setting "edns_size" will have no effect (i.e. not enable the query as an EDNS query) unless a parameter of "edns_details" is also specified.
"edns_details->udp_size" and "edns_size" have the same effect, but "udp_size" takes precedence if both are provided.
Update after review - more refactoring, more documentation
Update after review - specify handling of dnssec/do, more documentation
Fix existence check in hash
Use less elegant fix
Update unitary files
Check for existence of hash keys instead of definedness Rename supported keys 'edns_details->udp_size' to 'edns_details->size' and 'edns_details->extended_rcode' to 'edns_details->rcode' to better match with underlying Zonemaster::LDNS functions Update documentation of 'dnssec' and 'edns_size' Update all EDNS test cases with explicit mention of EDNS version when enabling it in query. Although this is not necessary (an empty hash would work the same since LDNS defaults the version number to 0 when not specified), more explicit the better (and future-proof). Update unitary tests 't/Test-dnssec.t' TODO section
I have addressed latest comments and rebased on latest develop. Please re-review. |
lib/Zonemaster/Engine/Constants.pm
Outdated
| @@ -282,6 +284,12 @@ C<$UDP_PAYLOAD_LIMIT> | |||
|
|
|||
| =item * | |||
|
|
|||
| C<$UDP_EDNS_QUERY_DEFAULT> | |||
|
|
|||
| The EDNS0 UDP maximum size. | |||
There was a problem hiding this comment.
$UDP_EDNS_QUERY_DEFAULT is the default setting in EDNS in queries from Zonemaster. 512 is also the lower limit of what you may announce in EDNS.
There was a problem hiding this comment.
I forgot to update that part - it now reads:
C<$UDP_EDNS_QUERY_DEFAULT>
An integer, used to define the EDNS0 UDP packet size in EDNS queries.
Deprecate Profile settings "dnssec" and "edns_size" - changing their value will now have no effect. Planned for complete removal in 2023.2. Added new constant UDP_EDNS_QUERY_DEFAULT Restore 'edns_size' previous value in profile.json
There was a problem hiding this comment.
Looks good to me.
It’s a shame we cannot investigate the failing unit tests further. It does seem, however, that the test zones themselves are at fault and not the code, because I ran ZONEMASTER_RECORD=1 prove -l t/Test-dnssec.t with an unrelated branch and got even more errors.
matsduf
added
the
V-Patch
Purpose
This PR fixes bugs regarding EDNS behavior in Engine.
For future reference (i.e., what this PR does):
edns_detailsparameters ("version", "z", "do", "size", etc), or when none are given (empty hash). The main issue before this PR was that usingedns_details->version = 0would not enable the query as an EDNS query. Seezonemaster-engine/lib/Zonemaster/Engine/Nameserver.pm
Lines 310 to 311 in 47475c6
edns_details->sizeandedns_sizehave the same effect -edns_details->sizetakes precedence if both are provided. The first is a query parameter used exclusively in Test Cases, while the latter is a profile parameter (for queries too, but that can also be set directly in Test Cases).edns_details->doanddnssec;edns_details->dotakes precedence.edns_sizeexclusively will not enable the query as an EDNS query. It will be used only when the query is enabled as an EDNS query (i.e. withdnssecoredns_details).Context
While implementing #1034, I noticed odd behaviors when playing around EDNS queries and responses.
Also, note that Test Cases nameserver10 to 14 (14 being NYI, see #1033) don't have unitary tests which can partly explain why such an issue was not seen before. I created issue #1146 for that.
Also fixes #501
Changes
edns_detailsedns_details->udp_sizetoedns_details->sizeandedns_details->extended_rcodetoedns_details->rcodeto better match with underlying Zonemaster::LDNS functions.Some test cases in Test/Nameserver.pm were not checking if the OPT record was present in the responses to EDNS queries (default behavior as per the same specification).edns_details->versionfor every EDNS query in all test casesHow to test this PR
Tests should pass.