Re: can I provide invalid HTTPS values for testing?
Mark Andrews wrote: > Named and nsupdate validate input for types they know about (both text > and wire). You would have to use versions that are not HTTPS aware and > use unknown type format. So, he could code it in Perl or Python or something which had a dynamic DNS library. Bind itself wouldn't validate the "ascii-hex" part when it receives it. signature.asc Description: PGP signature -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: can I provide invalid HTTPS values for testing?
Stephen, I would suggest to write a specialized DNS server using dnspython rather than trying to cram the crap into existing DNS servers. Then it should be possible to use something like this: https://hypothesis.readthedocs.io/en/latest/ to generate the test cases automatically. Cheers, -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 20. 6. 2024, at 3:40, Stephen Farrell wrote: > > > Hiya, > > Apologies if this is a repeat, I spent a bit of time looking > but didn't find stuff... > > I'd like to publish various HTTPS RRs with dodgy encodings > in order to test which clients handle things well or badly. > > Were it possible to use nsupdate for that, that'd make my > life simpler, but I've not found a way to do that so far. > > What I'd like to be able to do in nsupdate would be like: > > update add example.com 300 HTTPS > > Where the ascii-hex value is some (broken) variant of what > I'd get from: > > dig +unknownformat https example.com > > Is there a way to do that? > > Thanks in advance, > Stephen. > > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: can I provide invalid HTTPS values for testing?
Named and nsupdate validate input for types they know about (both text and wire). You would have to use versions that are not HTTPS aware and use unknown type format. Mark > On 20 Jun 2024, at 11:39, Stephen Farrell wrote: > > > Hiya, > > Apologies if this is a repeat, I spent a bit of time looking > but didn't find stuff... > > I'd like to publish various HTTPS RRs with dodgy encodings > in order to test which clients handle things well or badly. > > Were it possible to use nsupdate for that, that'd make my > life simpler, but I've not found a way to do that so far. > > What I'd like to be able to do in nsupdate would be like: > > update add example.com 300 HTTPS > > Where the ascii-hex value is some (broken) variant of what > I'd get from: > > dig +unknownformat https example.com > > Is there a way to do that? > > Thanks in advance, > Stephen. > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
can I provide invalid HTTPS values for testing?
Hiya, Apologies if this is a repeat, I spent a bit of time looking but didn't find stuff... I'd like to publish various HTTPS RRs with dodgy encodings in order to test which clients handle things well or badly. Were it possible to use nsupdate for that, that'd make my life simpler, but I've not found a way to do that so far. What I'd like to be able to do in nsupdate would be like: update add example.com 300 HTTPS Where the ascii-hex value is some (broken) variant of what I'd get from: dig +unknownformat https example.com Is there a way to do that? Thanks in advance, Stephen. OpenPGP_0xE4D8E9F997A833DD.asc Description: OpenPGP public key OpenPGP_signature.asc Description: OpenPGP digital signature -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: qname minimization: me too :(
On Wed, Jun 19, 2024 at 10:33:41PM +0200, Stephane Bortzmeyer wrote: ! On Wed, Jun 19, 2024 at 10:15:48PM +0200, ! Peter wrote ! a message of 32 lines which said: ! ! > today I happened to look into a named.log, and found it full of ! > qname minimization messages. ! ! Which message? Could you copy-and-paste it? Yes, sure. I grabbed three typical cases to analyze further, and currently trying to understand the proceedings - unsuccessfully, up to now. :( Case 1: --- Jun 19 17:42:12 conr named[24481]: lame-servers: info: success resolving '26.191.165.185.in-addr.arpa/PTR' after disabling qname minimization due to 'ncache nxdomain' This one does not point back to me, but nevertheless I do not see the lame server. Case 2: --- Jun 19 18:02:44 conr named[24481]: lame-servers: info: success resolving 'reactivite.fr.intra.daemon.contact/' after disabling qname minimization due to 'ncache nxdomain' Here, for whatever reason, the client was not happy with the official answer on "reactivite.fr", and tried to append the search domain for internal hosts on my LAN. So this does absolutely point to me, only. The recursing LAN server asks the authoritative LAN server (same image, different view), and that one basically says, this is bogus. Case 3: --- Jun 19 18:28:48 conr named[24481]: lame-servers: info: success resolving '1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.1.0.0.3.2.f.1.0.7.4.0.1.0.0.2.ip6.arpa/PTR' after disabling qname minimization due to 'ncache nxdomain' This one does also point back to me (kind of), because HE does delegate the rDNS zones (I love them), only they do not do DNSSEC in the rDNS. It correctly ends up at my autoritative public servers and gets resolved. I'm currently extracting the exact proceedings from dnstap - but I don't get much enlighenment from them. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: qname minimization: me too :(
On Wed, Jun 19, 2024 at 10:15:48PM +0200, Peter wrote a message of 32 lines which said: > today I happened to look into a named.log, and found it full of > qname minimization messages. Which message? Could you copy-and-paste it? -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
qname minimization: me too :(
Hi all, today I happened to look into a named.log, and found it full of qname minimization messages. Now as far as I understand, the saying goes that this is a problem of misconfigured upstream nameservers and we cannot do much about it. But, what if these "misconfigured upstream servers" happen do be some of my own? What do I do then? Because I've seen through the proceedings, and I do not yet see the error. cheerio, Peter -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Debian download source on ISC website
If by production-ready you mean it’s reasonably well-tested, we are using it ourselves and it also matches what’s being uploaded to Debian directly then yes. If you mean there will be no bugs and it will magically work until the end of times without any effort then you might be disappointed. Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 19. 6. 2024, at 9:19, Dominic Preston wrote: > > Hello, > > When browsing for Debian download sources on > https://www.isc.org/download/ , there is a link to > https://bind.debian.net/bind > > When clicking on https://bind.debian.net/bind I am redirected to > https://packages.sury.org/bind/ > > Since it is listed on https://www.isc.org/download/ , can I assume > packages.sury.org is an official ISC download source suitable for > production deployment? > > Regards, > Dominic. > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Debian download source on ISC website
Hello, When browsing for Debian download sources on https://www.isc.org/download/ , there is a link to https://bind.debian.net/bind When clicking on https://bind.debian.net/bind I am redirected to https://packages.sury.org/bind/ Since it is listed on https://www.isc.org/download/ , can I assume packages.sury.org is an official ISC download source suitable for production deployment? Regards, Dominic. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
