Re: can I provide invalid HTTPS values for testing?
Hiya, On 20/06/2024 14:34, Ondřej Surý wrote: Stephen, you actually gave me an idea - you should use BIND version without HTTPS record support and just convert the records to TYPExxx form. That way, there will be no parser standing in your way and you can put all kind of rubbish to the zone. Yep, there are likely some tests where I'll want to do that, or similar, but I'm good for a while at least with cases where the badness is mostly within the base64 encoding of the ECHConfigList, which bind seems ok with. P.S.: Why am I even helping you when the eduroam at TCD didn’t work for me last week ;))). I can only apologise for our eduroam setup (again, I've had to do it before;-), but happy to supply an apologetic beverage next time we meet. Cheers, S. OpenPGP_0xE4D8E9F997A833DD.asc Description: OpenPGP public key OpenPGP_signature.asc Description: OpenPGP digital signature -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: can I provide invalid HTTPS values for testing?
Stephen, you actually gave me an idea - you should use BIND version without HTTPS record support and just convert the records to TYPExxx form. That way, there will be no parser standing in your way and you can put all kind of rubbish to the zone. P.S.: Why am I even helping you when the eduroam at TCD didn’t work for me last week ;))). Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 20. 6. 2024, at 15:29, Stephen Farrell wrote: > > > Hi again, > > Actually, it may well be that bind allows me sufficient > leeway to do most of the tests I want, so this is just > to check that there's no imminent plan to have bind > disallow the kind of rubbish HTTPS RRs below. If that's > not likely to change in the next few months, then I'd > say I'm fine. (With apologies for the noise;-) > > Thanks, > S. > > $ dig +short https dodgy.test.defo.ie > 1 . alpn="\"" ipv4hint=10.0.0.1 ech=Cg== > 1 . ech=AAA= > 1 . > ech=ADn+DQA128zMACBZkH1hkFTJB6Hyls62Pd4dV/cvFdsXJgGi9rVeZufNDwAEAAEAAQAGYmFyLmllAAA= > 1 . alpn="\"" ipv4hint=10.0.0.1 ech > 1 . alpn="\"" ipv4hint=10.0.0.0 ech=Cg== OpenPGP_0xE4D8E9F997A833DD.asc Description: Binary data > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: can I provide invalid HTTPS values for testing?
Hi again, Actually, it may well be that bind allows me sufficient leeway to do most of the tests I want, so this is just to check that there's no imminent plan to have bind disallow the kind of rubbish HTTPS RRs below. If that's not likely to change in the next few months, then I'd say I'm fine. (With apologies for the noise;-) Thanks, S. $ dig +short https dodgy.test.defo.ie 1 . alpn="\"" ipv4hint=10.0.0.1 ech=Cg== 1 . ech=AAA= 1 . ech=ADn+DQA128zMACBZkH1hkFTJB6Hyls62Pd4dV/cvFdsXJgGi9rVeZufNDwAEAAEAAQAGYmFyLmllAAA= 1 . alpn="\"" ipv4hint=10.0.0.1 ech 1 . alpn="\"" ipv4hint=10.0.0.0 ech=Cg== OpenPGP_0xE4D8E9F997A833DD.asc Description: OpenPGP public key OpenPGP_signature.asc Description: OpenPGP digital signature -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: can I provide invalid HTTPS values for testing?
Hiya, Thanks all for the info/suggestions. I guess I'll have to try what Ondřej suggests or something similar, and that's ok. Cheers, S. OpenPGP_0xE4D8E9F997A833DD.asc Description: OpenPGP public key OpenPGP_signature.asc Description: OpenPGP digital signature -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: can I provide invalid HTTPS values for testing?
> On 20 Jun 2024, at 15:29, Michael Richardson wrote: > > > Mark Andrews wrote: >> Named and nsupdate validate input for types they know about (both text >> and wire). You would have to use versions that are not HTTPS aware and >> use unknown type format. > > So, he could code it in Perl or Python or something which had a dynamic DNS > library. Bind itself wouldn't validate the "ascii-hex" part when it receives > it. Named will reject HTTPS records that it can determine are invalid. This includes in UPDATE requests. The server will return FORMERR to the dynamic update client. See lib/dns/rdata/in_1/svcb_64.c for all the checks performed. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users