19 Úno
2023
19 Úno
'23
18:26
Hi there,
I'm trying to implement SVCB record "_dns.resolver.arpa" for DDR
mechanism for our AS50242 recursive resolvers.
When I look on Cloudflare or Google implementation, they answer with
"ADDITIONAL SECTION" also.
kdig _dns.resolver.arpa @8.8.8.8 type64
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 61402
;; Flags: qr aa rd ra; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 4
;; QUESTION SECTION:
;; _dns.resolver.arpa. IN SVCB
;; ANSWER SECTION:
_dns.resolver.arpa. 86400 IN SVCB 1 dns.google. alpn=dot
_dns.resolver.arpa. 86400 IN SVCB 2 dns.google. alpn=h2,h3
key7="/dns-query{?dns}"
;; ADDITIONAL SECTION:
dns.google. 86400 IN A 8.8.8.8
dns.google. 86400 IN A 8.8.4.4
dns.google. 86400 IN AAAA 2001:4860:4860::8888
dns.google. 86400 IN AAAA 2001:4860:4860::8844
In Knot Resolver documentation is an example how to answer for SVCB
request but without addition section.
policy.add(
policy.domains(
policy.ANSWER(
{ [kres.type.SVCB] = { rdata=kres.parse_rdata({
'SVCB 1 resolver.example. alpn=dot ipv4hint=192.0.2.1
ipv6hint=2001:db8::1',
'SVCB 2 resolver.example. mandatory=key65380 alpn=h2
key65380=/dns-query{?dns}',
}), ttl=5 } }
), { todname('_testing.domain') }))
Can anyone help me, how to add additional section to answer? Do we
need to use policy.custom_action(state, request)?
Thanks!
Blažej
19 Úno
19 Úno
20:04
I ended up with error ....
local ffi = require('ffi')
local function DDR_SVCB(state, req)
local answer = req:ensure_answer()
if answer == nil then return nil end
local qry = req:current()
if qry.stype ~= kres.type.SVCB then
return state
end
ffi.C.kr_pkt_make_auth_header(answer)
answer:rcode(kres.rcode.NOERROR)
answer:begin(kres.section.ANSWER)
local msg = '1 resolver.example. alpn=dot ipv4hint=192.0.2.1
ipv6hint=2001:db8::1'
answer:put(qry.sname, 900, answer:qclass(), kres.type.SVCB,
string.char(#msg) .. msg)
answer:begin(kres.section.ADDITIONAL)
answer:put(qry.sname, 900, answer:qclass(), kres.type.A,
kres.str2ip('109.236.119.2'))
answer:put(qry.sname, 900, answer:qclass(), kres.type.A,
kres.str2ip('109.236.120.2'))
answer:put(qry.sname, 900, answer:qclass(), kres.type.AAAA,
kres.str2ip('2a02:6ca3:0:1::2'))
answer:put(qry.sname, 900, answer:qclass(), kres.type.AAAA,
kres.str2ip('2a02:6ca3:0:2::2'))
return kres.DONE
end
policy.add(policy.domains(DDR_SVCB, policy.todnames({'_testing.domain'})))
it results in
kdig _testing.domain @109.236.120.2 type64
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 63653
;; Flags: qr aa rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 4
;; QUESTION SECTION:
;; _testing.domain. IN SVCB
;; ANSWER SECTION:
;; WARNING: can't print whole section
;; ADDITIONAL SECTION:
_testing.domain. 900 IN A 109.236.119.2
_testing.domain. 900 IN A 109.236.120.2
_testing.domain. 900 IN AAAA 2a02:6ca3:0:1::2
_testing.domain. 900 IN AAAA 2a02:6ca3:0:2::2
;; Received 202 B
;; Time 2023-02-19 20:01:08 CET
;; From 109.236.120.2@53(UDP) in 0.2 ms
ne 19. 2. 2023 o 18:26 Blažej Krajňák <blazej.krajnak(a)gmail.com> napísal(a):
Hi there,
I'm trying to implement SVCB record "_dns.resolver.arpa" for DDR
mechanism for our AS50242 recursive resolvers.
When I look on Cloudflare or Google implementation, they answer with
"ADDITIONAL SECTION" also.
kdig _dns.resolver.arpa @8.8.8.8 type64
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 61402
;; Flags: qr aa rd ra; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 4
;; QUESTION SECTION:
;; _dns.resolver.arpa. IN SVCB
;; ANSWER SECTION:
_dns.resolver.arpa. 86400 IN SVCB 1 dns.google. alpn=dot
_dns.resolver.arpa. 86400 IN SVCB 2 dns.google. alpn=h2,h3
key7="/dns-query{?dns}"
;; ADDITIONAL SECTION:
dns.google. 86400 IN A 8.8.8.8
dns.google. 86400 IN A 8.8.4.4
dns.google. 86400 IN AAAA 2001:4860:4860::8888
dns.google. 86400 IN AAAA 2001:4860:4860::8844
In Knot Resolver documentation is an example how to answer for SVCB
request but without addition section.
policy.add(
policy.domains(
policy.ANSWER(
{ [kres.type.SVCB] = { rdata=kres.parse_rdata({
'SVCB 1 resolver.example. alpn=dot ipv4hint=192.0.2.1
ipv6hint=2001:db8::1',
'SVCB 2 resolver.example. mandatory=key65380 alpn=h2
key65380=/dns-query{?dns}',
}), ttl=5 } }
), { todname('_testing.domain') }))
Can anyone help me, how to add additional section to answer? Do we
need to use policy.custom_action(state, request)?
Thanks!
Blažej
21:36
On 19/02/2023 20.04, Blažej Krajňák wrote:
local msg = '1 resolver.example. alpn=dot
ipv4hint=192.0.2.1
ipv6hint=2001:db8::1'
answer:put(qry.sname, 900, answer:qclass(), kres.type.SVCB,
string.char(#msg) .. msg)
This part won't construct correct wire format for SVCB.
I think this example should work:
-- Parse RDATA, from presentation to wire-format.
-- in: a string or table of strings, each a line describing RRTYPE+RDATA
-- out: a table of RDATA strings in wire-format
function parse_rdata(strs, nothing)
local zonefile = require('zonefile')
if nothing ~= nil then -- accidents like forgetting braces
error('one string or table of strings is accepted', 2)
end
if type(strs) ~= 'table' then strs = { strs } end -- TODO: allow this case?
local res = {}
for _, line in ipairs(strs) do
if type(line) ~= 'string' then
error('one string or table of strings is accepted', 2)
end
local rrs = zonefile.string('. ' .. line)
if #rrs == 0 then error('failed to parse line: ' .. line, 2) end
for _, rr in ipairs(rrs) do
table.insert(res, rr.rdata)
end
end
return res
end
svcb_str = {
'SVCB 1 dns.quad9.net. alpn=dot port=853 ipv4hint=9.9.9.9,149.112.112.112
ipv6hint=2620:fe::fe',
'SVCB 2 dns.quad9.net. mandatory=key65380 alpn=h2 port=443
ipv4hint=9.9.9.9,149.112.112.112 ipv6hint=2620:fe::fe
key65380="/dns-query{?dns}"',
}
policy.add(
policy.suffix(
policy.ANSWER({ [kres.type.SVCB] = { rdata=parse_rdata(svcb_str), ttl=300 } },
true),
{ todname('_dns.resolver.arpa') }))
22:09
ne 19. 2. 2023 o 21:36 Vladimír Čunát <vladimir.cunat(a)nic.cz> napísal(a):
This part won't construct correct wire format for
SVCB.
Yes, you are correct. I had to find more about SVCB records.
But your solution is still missing "additional section".
I build up working solution:
local ffi = require('ffi')
local function DDR_SVCB(state, req)
local answer = req:ensure_answer()
if answer == nil then return nil end
local qry = req:current()
if qry.stype ~= kres.type.SVCB then
return state
end
ffi.C.kr_pkt_make_auth_header(answer)
answer:rcode(kres.rcode.NOERROR)
answer:begin(kres.section.ANSWER)
local records = kres.parse_rdata({
'SVCB 1 dns.levonet.sk. alpn=dot port=853
ipv4hint=109.236.119.2,109.236.120.2
ipv6hint=2a02:6ca3:0:1::2,2a02:6ca3:0:2::2',
'SVCB 2 dns.levonet.sk. alpn=h2 port=443
ipv4hint=109.236.119.2,109.236.120.2
ipv6hint=2a02:6ca3:0:1::2,2a02:6ca3:0:2::2 key7=/dns-query{?dns}',
})
for _, entry in ipairs(records) do
answer:put(qry.sname, 900, answer:qclass(), kres.type.SVCB, entry)
end
answer:begin(kres.section.ADDITIONAL)
answer:put(todname('dns.levonet.sk'), 900, answer:qclass(),
kres.type.A, kres.str2ip('109.236.119.2'))
answer:put(todname('dns.levonet.sk'), 900, answer:qclass(),
kres.type.A, kres.str2ip('109.236.120.2'))
answer:put(todname('dns.levonet.sk'), 900, answer:qclass(),
kres.type.AAAA, kres.str2ip('2a02:6ca3:0:1::2'))
answer:put(todname('dns.levonet.sk'), 900, answer:qclass(),
kres.type.AAAA, kres.str2ip('2a02:6ca3:0:2::2'))
return kres.DONE
end
policy.add(policy.domains(DDR_SVCB, policy.todnames({'_dns.resolver.arpa'})))
and it returns:
kdig _dns.resolver.arpa @109.236.120.2 type64
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 41607
;; Flags: qr aa rd ra; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 4
;; QUESTION SECTION:
;; _dns.resolver.arpa. IN SVCB
;; ANSWER SECTION:
_dns.resolver.arpa. 900 IN SVCB 1 dns.levonet.sk. alpn=dot port=853
ipv4hint=109.236.119.2,109.236.120.2
ipv6hint=2a02:6ca3:0:1::2,2a02:6ca3:0:2::2
_dns.resolver.arpa. 900 IN SVCB 2 dns.levonet.sk. alpn=h2 port=443
ipv4hint=109.236.119.2,109.236.120.2
ipv6hint=2a02:6ca3:0:1::2,2a02:6ca3:0:2::2 key7="/dns-query{?dns}"
;; ADDITIONAL SECTION:
dns.levonet.sk. 900 IN A 109.236.119.2
dns.levonet.sk. 900 IN A 109.236.120.2
dns.levonet.sk. 900 IN AAAA 2a02:6ca3:0:1::2
dns.levonet.sk. 900 IN AAAA 2a02:6ca3:0:2::2
;; Received 324 B
;; Time 2023-02-19 22:00:07 CET
;; From 109.236.120.2@53(UDP) in 0.8 ms
22:13
On 19/02/2023 22.09, Blažej Krajňák wrote:
But your solution is still missing "additional
section".
Sure. I meant to just supply what you were missing by an older snippet.
And I don't think the additional section is needed really, though I
haven't looked into the DDR draft for months.
20 Úno
20 Úno
12:20
Moin!
On 19 Feb 2023, at 22:13, Vladimír Čunát wrote:
On 19/02/2023 22.09, Blažej Krajňák wrote:
It still is not needed. The draft said it SHOULD include them. Given that the SVCB draft
which is used as a basis specifies and ipv4hint and ipv6hint scvbparam I have been using
this instead, but am not sure if they are actually used by clients. However I can assure
you that both the Apple and Microsoft clients work without an additional section.
So long
-Ralf
——-
Ralf Weber
But your solution is still missing
"additional section".
Sure. I meant to just supply what you were missing by an older snippet.
And I don't think the additional section is needed really, though I haven't
looked into the DDR draft for months.
671
days inactive
672
days old
knot-resolver-users@lists.nic.cz
5 comments
3 participants
participants (3)
-
Blažej Krajňák -
Ralf Weber -
Vladimír Čunát