Re: can I provide invalid HTTPS values for testing?

2024-06-19 Thread Michael Richardson

Mark Andrews  wrote:
> Named and nsupdate validate input for types they know about (both text
> and wire). You would have to use versions that are not HTTPS aware and
> use unknown type format.

So, he could code it in Perl or Python or something which had a dynamic DNS
library.  Bind itself wouldn't validate the "ascii-hex" part when it receives
it.



signature.asc
Description: PGP signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: can I provide invalid HTTPS values for testing?

2024-06-19 Thread Ondřej Surý
Stephen,

I would suggest to write a specialized DNS server using dnspython rather than 
trying to cram the crap into existing DNS servers.

Then it should be possible to use something like this: 
https://hypothesis.readthedocs.io/en/latest/ to generate the test cases 
automatically.

Cheers,
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.

> On 20. 6. 2024, at 3:40, Stephen Farrell  wrote:
> 
> 
> Hiya,
> 
> Apologies if this is a repeat, I spent a bit of time looking
> but didn't find stuff...
> 
> I'd like to publish various HTTPS RRs with dodgy encodings
> in order to test which clients handle things well or badly.
> 
> Were it possible to use nsupdate for that, that'd make my
> life simpler, but I've not found a way to do that so far.
> 
> What I'd like to be able to do in nsupdate would be like:
> 
>  update add example.com 300 HTTPS 
> 
> Where the ascii-hex value is some (broken) variant of what
> I'd get from:
> 
>  dig +unknownformat https example.com
> 
> Is there a way to do that?
> 
> Thanks in advance,
> Stephen.
> 
> 
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: can I provide invalid HTTPS values for testing?

2024-06-19 Thread Mark Andrews
Named and nsupdate validate input for types they know about (both text
and wire). You would have to use versions that are not HTTPS aware and
use unknown type format.

Mark

> On 20 Jun 2024, at 11:39, Stephen Farrell  wrote:
> 
> 
> Hiya,
> 
> Apologies if this is a repeat, I spent a bit of time looking
> but didn't find stuff...
> 
> I'd like to publish various HTTPS RRs with dodgy encodings
> in order to test which clients handle things well or badly.
> 
> Were it possible to use nsupdate for that, that'd make my
> life simpler, but I've not found a way to do that so far.
> 
> What I'd like to be able to do in nsupdate would be like:
> 
>  update add example.com 300 HTTPS 
> 
> Where the ascii-hex value is some (broken) variant of what
> I'd get from:
> 
>  dig +unknownformat https example.com
> 
> Is there a way to do that?
> 
> Thanks in advance,
> Stephen.
> 
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


can I provide invalid HTTPS values for testing?

2024-06-19 Thread Stephen Farrell


Hiya,

Apologies if this is a repeat, I spent a bit of time looking
but didn't find stuff...

I'd like to publish various HTTPS RRs with dodgy encodings
in order to test which clients handle things well or badly.

Were it possible to use nsupdate for that, that'd make my
life simpler, but I've not found a way to do that so far.

What I'd like to be able to do in nsupdate would be like:

  update add example.com 300 HTTPS 

Where the ascii-hex value is some (broken) variant of what
I'd get from:

  dig +unknownformat https example.com

Is there a way to do that?

Thanks in advance,
Stephen.



OpenPGP_0xE4D8E9F997A833DD.asc
Description: OpenPGP public key


OpenPGP_signature.asc
Description: OpenPGP digital signature
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: qname minimization: me too :(

2024-06-19 Thread Peter
On Wed, Jun 19, 2024 at 10:33:41PM +0200, Stephane Bortzmeyer wrote:
! On Wed, Jun 19, 2024 at 10:15:48PM +0200,
!  Peter  wrote 
!  a message of 32 lines which said:
! 
! >   today I happened to look into a named.log, and found it full of
! > qname minimization messages.
! 
! Which message? Could you copy-and-paste it?

Yes, sure. I grabbed three typical cases to analyze further, and
currently trying to understand the proceedings - unsuccessfully, up
to now. :(

Case 1:
---
Jun 19 17:42:12  conr named[24481]: lame-servers:
   info: success resolving '26.191.165.185.in-addr.arpa/PTR'
   after disabling qname minimization due to 'ncache nxdomain'

This one does not point back to me, but nevertheless I do not
see the lame server.

Case 2:
---
Jun 19 18:02:44  conr named[24481]: lame-servers:
   info: success resolving 'reactivite.fr.intra.daemon.contact/'
   after disabling qname minimization due to 'ncache nxdomain'

Here, for whatever reason, the client was not happy with the official
answer on "reactivite.fr", and tried to append the search domain for
internal hosts on my LAN.
So this does absolutely point to me, only. The recursing LAN server
asks the authoritative LAN server (same image, different view), and
that one basically says, this is bogus.

Case 3:
---
Jun 19 18:28:48  conr named[24481]: lame-servers:
   info: success resolving
   
'1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.1.0.0.3.2.f.1.0.7.4.0.1.0.0.2.ip6.arpa/PTR'
   after disabling qname minimization due to 'ncache nxdomain'

This one does also point back to me (kind of), because HE does
delegate the rDNS zones (I love them), only they do not do DNSSEC
in the rDNS. It correctly ends up at my autoritative public servers
and gets resolved.


I'm currently extracting the exact proceedings from dnstap - but I
don't get much enlighenment from them.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: qname minimization: me too :(

2024-06-19 Thread Stephane Bortzmeyer
On Wed, Jun 19, 2024 at 10:15:48PM +0200,
 Peter  wrote 
 a message of 32 lines which said:

>   today I happened to look into a named.log, and found it full of
> qname minimization messages.

Which message? Could you copy-and-paste it?

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


qname minimization: me too :(

2024-06-19 Thread Peter


Hi all,
  today I happened to look into a named.log, and found it full of
qname minimization messages.
Now as far as I understand, the saying goes that this is a problem
of misconfigured upstream nameservers and we cannot do much about
it.

But, what if these "misconfigured upstream servers" happen do be
some of my own? What do I do then?

Because I've seen through the proceedings, and I do not yet see
the error.

cheerio,
Peter
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Debian download source on ISC website

2024-06-19 Thread Ondřej Surý
If by production-ready you mean it’s reasonably well-tested, we are using it 
ourselves and it also matches what’s being uploaded to Debian directly then yes.

If you mean there will be no bugs and it will magically work until the end of 
times without any effort then you might be disappointed.

Ondrej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.

> On 19. 6. 2024, at 9:19, Dominic Preston  wrote:
> 
> Hello,
> 
> When browsing for Debian download sources on
> https://www.isc.org/download/ , there is a link to
> https://bind.debian.net/bind
> 
> When clicking on https://bind.debian.net/bind I am redirected to
> https://packages.sury.org/bind/
> 
> Since it is listed on https://www.isc.org/download/ , can I assume
> packages.sury.org is an official ISC download source suitable for
> production deployment?
> 
> Regards,
> Dominic.
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Debian download source on ISC website

2024-06-19 Thread Dominic Preston
Hello,

When browsing for Debian download sources on
https://www.isc.org/download/ , there is a link to
https://bind.debian.net/bind

When clicking on https://bind.debian.net/bind I am redirected to
https://packages.sury.org/bind/

Since it is listed on https://www.isc.org/download/ , can I assume
packages.sury.org is an official ISC download source suitable for
production deployment?

Regards,
Dominic.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users