Use experimental "_ A" minimization in relaxed mode.
qname minimization, even in relaxed mode, can fail on some very broken domains. In relaxed mode, instead of asking for "foo.bar NS" ask for "_.foo.bar A" to either get a delegation or NXDOMAIN. It will require more queries than regular mode for proper NXDOMAINs.
This commit is contained in:
Witold Kręcicki
committed by
Evan Hunt
Evan Hunt
parent
2691e729f0
commit
ae52c2117e
@@ -98,7 +98,7 @@ def create_response(msg):
|
||||
r.set_rcode(NXDOMAIN)
|
||||
if ugly:
|
||||
r.set_rcode(FORMERR)
|
||||
elif "zoop.boing.".endswith(lqname):
|
||||
elif lqname.endswith("zoop.boing."):
|
||||
r.authority.append(dns.rrset.from_text("zoop.boing." + suffix, 1, IN, SOA, "ns3." + suffix + " hostmaster.arpa. 2018050100 1 1 1 1"))
|
||||
r.set_rcode(NXDOMAIN)
|
||||
else:
|
||||
|
||||
@@ -109,7 +109,7 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
n=`expr $n + 1`
|
||||
echo_i "query for .good is properly minimized when qname-minimization is on ($n)"
|
||||
echo_i "query for .good is properly minimized when qname-minimization is in strict mode ($n)"
|
||||
ret=0
|
||||
$CLEANQL
|
||||
$RNDCCMD 10.53.0.6 flush
|
||||
@@ -142,6 +142,37 @@ for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
n=`expr $n + 1`
|
||||
echo_i "query for .good is properly minimized when qname-minimization is in relaxed mode ($n)"
|
||||
ret=0
|
||||
$CLEANQL
|
||||
$RNDCCMD 10.53.0.7 flush
|
||||
$DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.good. @10.53.0.7 > dig.out.test$n
|
||||
grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
|
||||
grep "icky.icky.icky.ptang.zoop.boing.good. 1 IN A 192.0.2.1" dig.out.test$n > /dev/null || ret=1
|
||||
sleep 1
|
||||
sort ans2/query.log > ans2/query.log.sorted
|
||||
cat << __EOF | $DIFF ans2/query.log.sorted - > /dev/null || ret=1
|
||||
ADDR _.boing.good.
|
||||
ADDR _.zoop.boing.good.
|
||||
ADDR a.bit.longer.ns.name.good.
|
||||
ADDR a.bit.longer.ns.name.good.
|
||||
ADDR ns2.good.
|
||||
ADDR ns3.good.
|
||||
ADDR ns3.good.
|
||||
__EOF
|
||||
cat << __EOF | $DIFF ans3/query.log - > /dev/null || ret=1
|
||||
ADDR _.ptang.zoop.boing.good.
|
||||
ADDR _.icky.ptang.zoop.boing.good.
|
||||
__EOF
|
||||
cat << __EOF | $DIFF ans4/query.log - > /dev/null || ret=1
|
||||
ADDR _.icky.icky.ptang.zoop.boing.good.
|
||||
ADDR icky.icky.icky.ptang.zoop.boing.good.
|
||||
__EOF
|
||||
for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
n=`expr $n + 1`
|
||||
echo_i "query for .bad fails when qname-minimization is in strict mode ($n)"
|
||||
ret=0
|
||||
@@ -171,17 +202,22 @@ grep "icky.icky.icky.ptang.zoop.boing.bad. 1 IN A 192.0.2.1" dig.out.test$n > /d
|
||||
sleep 1
|
||||
sort ans2/query.log > ans2/query.log.sorted
|
||||
cat << __EOF | $DIFF ans2/query.log.sorted - > /dev/null || ret=1
|
||||
ADDR _.boing.bad.
|
||||
ADDR _.zoop.boing.bad.
|
||||
ADDR a.bit.longer.ns.name.bad.
|
||||
ADDR a.bit.longer.ns.name.bad.
|
||||
ADDR icky.icky.icky.ptang.zoop.boing.bad.
|
||||
ADDR ns2.bad.
|
||||
ADDR ns3.bad.
|
||||
ADDR ns3.bad.
|
||||
NS bad.
|
||||
NS boing.bad.
|
||||
__EOF
|
||||
echo "ADDR icky.icky.icky.ptang.zoop.boing.bad." | $DIFF ans3/query.log - > /dev/null || ret=1
|
||||
echo "ADDR icky.icky.icky.ptang.zoop.boing.bad." | $DIFF ans4/query.log - > /dev/null || ret=1
|
||||
cat << __EOF | $DIFF ans3/query.log - > /dev/null || ret=1
|
||||
ADDR _.ptang.zoop.boing.bad.
|
||||
ADDR _.icky.ptang.zoop.boing.bad.
|
||||
__EOF
|
||||
cat << __EOF | $DIFF ans4/query.log - > /dev/null || ret=1
|
||||
ADDR _.icky.icky.ptang.zoop.boing.bad.
|
||||
ADDR icky.icky.icky.ptang.zoop.boing.bad.
|
||||
__EOF
|
||||
for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
@@ -215,17 +251,17 @@ $DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.ugly. @10.53.0.7 > dig.out.test$n
|
||||
grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
|
||||
grep "icky.icky.icky.ptang.zoop.boing.ugly. 1 IN A 192.0.2.1" dig.out.test$n > /dev/null || ret=1
|
||||
sleep 1
|
||||
|
||||
sort ans2/query.log > ans2/query.log.sorted
|
||||
cat << __EOF | $DIFF ans2/query.log.sorted - > /dev/null || ret=1
|
||||
cat << __EOF | $DIFF ans2/query.log.sorted - > /dev/null || cat ans2/query.log.sorted
|
||||
ADDR _.boing.ugly.
|
||||
ADDR _.boing.ugly.
|
||||
ADDR a.bit.longer.ns.name.ugly.
|
||||
ADDR a.bit.longer.ns.name.ugly.
|
||||
ADDR icky.icky.icky.ptang.zoop.boing.ugly.
|
||||
ADDR ns2.ugly.
|
||||
ADDR ns3.ugly.
|
||||
ADDR ns3.ugly.
|
||||
NS boing.ugly.
|
||||
NS boing.ugly.
|
||||
NS ugly.
|
||||
__EOF
|
||||
echo "ADDR icky.icky.icky.ptang.zoop.boing.ugly." | $DIFF ans3/query.log - > /dev/null || ret=1
|
||||
echo "ADDR icky.icky.icky.ptang.zoop.boing.ugly." | $DIFF ans4/query.log - > /dev/null || ret=1
|
||||
|
||||
Reference in New Issue
Block a user