Re: can I provide invalid HTTPS values for testing?
On Thu, Jun 20, 2024 at 02:29:13PM +0100, Stephen Farrell wrote a message of 100 lines which said: > Actually, it may well be that bind allows me sufficient leeway to do > most of the tests I want, so this is just to check that there's no > imminent plan to have bind disallow the kind of rubbish HTTPS RRs > below. A related issue: does anyone know a software / service which tests HTTPS records and actually connects to the HTTPS server to see if it indeed supports what it claims to support. (Testing all ALPNs, all IP hints, etc.) "Error, HTTP record says alpn=h3 but HTTP/3 setup failed" Bonus if I can integrate it in Nagios/Icinga/Zabbix/etc. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: can I provide invalid HTTPS values for testing?
Hiya, On 20/06/2024 14:34, Ondřej Surý wrote: Stephen, you actually gave me an idea - you should use BIND version without HTTPS record support and just convert the records to TYPExxx form. That way, there will be no parser standing in your way and you can put all kind of rubbish to the zone. Yep, there are likely some tests where I'll want to do that, or similar, but I'm good for a while at least with cases where the badness is mostly within the base64 encoding of the ECHConfigList, which bind seems ok with. P.S.: Why am I even helping you when the eduroam at TCD didn’t work for me last week ;))). I can only apologise for our eduroam setup (again, I've had to do it before;-), but happy to supply an apologetic beverage next time we meet. Cheers, S. OpenPGP_0xE4D8E9F997A833DD.asc Description: OpenPGP public key OpenPGP_signature.asc Description: OpenPGP digital signature -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: can I provide invalid HTTPS values for testing?
Stephen, you actually gave me an idea - you should use BIND version without HTTPS record support and just convert the records to TYPExxx form. That way, there will be no parser standing in your way and you can put all kind of rubbish to the zone. P.S.: Why am I even helping you when the eduroam at TCD didn’t work for me last week ;))). Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 20. 6. 2024, at 15:29, Stephen Farrell wrote: > > > Hi again, > > Actually, it may well be that bind allows me sufficient > leeway to do most of the tests I want, so this is just > to check that there's no imminent plan to have bind > disallow the kind of rubbish HTTPS RRs below. If that's > not likely to change in the next few months, then I'd > say I'm fine. (With apologies for the noise;-) > > Thanks, > S. > > $ dig +short https dodgy.test.defo.ie > 1 . alpn="\"" ipv4hint=10.0.0.1 ech=Cg== > 1 . ech=AAA= > 1 . > ech=ADn+DQA128zMACBZkH1hkFTJB6Hyls62Pd4dV/cvFdsXJgGi9rVeZufNDwAEAAEAAQAGYmFyLmllAAA= > 1 . alpn="\"" ipv4hint=10.0.0.1 ech > 1 . alpn="\"" ipv4hint=10.0.0.0 ech=Cg== OpenPGP_0xE4D8E9F997A833DD.asc Description: Binary data > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: can I provide invalid HTTPS values for testing?
Hi again, Actually, it may well be that bind allows me sufficient leeway to do most of the tests I want, so this is just to check that there's no imminent plan to have bind disallow the kind of rubbish HTTPS RRs below. If that's not likely to change in the next few months, then I'd say I'm fine. (With apologies for the noise;-) Thanks, S. $ dig +short https dodgy.test.defo.ie 1 . alpn="\"" ipv4hint=10.0.0.1 ech=Cg== 1 . ech=AAA= 1 . ech=ADn+DQA128zMACBZkH1hkFTJB6Hyls62Pd4dV/cvFdsXJgGi9rVeZufNDwAEAAEAAQAGYmFyLmllAAA= 1 . alpn="\"" ipv4hint=10.0.0.1 ech 1 . alpn="\"" ipv4hint=10.0.0.0 ech=Cg== OpenPGP_0xE4D8E9F997A833DD.asc Description: OpenPGP public key OpenPGP_signature.asc Description: OpenPGP digital signature -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: can I provide invalid HTTPS values for testing?
Hiya, Thanks all for the info/suggestions. I guess I'll have to try what Ondřej suggests or something similar, and that's ok. Cheers, S. OpenPGP_0xE4D8E9F997A833DD.asc Description: OpenPGP public key OpenPGP_signature.asc Description: OpenPGP digital signature -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: can I provide invalid HTTPS values for testing?
> On 20 Jun 2024, at 15:29, Michael Richardson wrote: > > > Mark Andrews wrote: >> Named and nsupdate validate input for types they know about (both text >> and wire). You would have to use versions that are not HTTPS aware and >> use unknown type format. > > So, he could code it in Perl or Python or something which had a dynamic DNS > library. Bind itself wouldn't validate the "ascii-hex" part when it receives > it. Named will reject HTTPS records that it can determine are invalid. This includes in UPDATE requests. The server will return FORMERR to the dynamic update client. See lib/dns/rdata/in_1/svcb_64.c for all the checks performed. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: can I provide invalid HTTPS values for testing?
Mark Andrews wrote: > Named and nsupdate validate input for types they know about (both text > and wire). You would have to use versions that are not HTTPS aware and > use unknown type format. So, he could code it in Perl or Python or something which had a dynamic DNS library. Bind itself wouldn't validate the "ascii-hex" part when it receives it. signature.asc Description: PGP signature -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: can I provide invalid HTTPS values for testing?
Stephen, I would suggest to write a specialized DNS server using dnspython rather than trying to cram the crap into existing DNS servers. Then it should be possible to use something like this: https://hypothesis.readthedocs.io/en/latest/ to generate the test cases automatically. Cheers, -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 20. 6. 2024, at 3:40, Stephen Farrell wrote: > > > Hiya, > > Apologies if this is a repeat, I spent a bit of time looking > but didn't find stuff... > > I'd like to publish various HTTPS RRs with dodgy encodings > in order to test which clients handle things well or badly. > > Were it possible to use nsupdate for that, that'd make my > life simpler, but I've not found a way to do that so far. > > What I'd like to be able to do in nsupdate would be like: > > update add example.com 300 HTTPS > > Where the ascii-hex value is some (broken) variant of what > I'd get from: > > dig +unknownformat https example.com > > Is there a way to do that? > > Thanks in advance, > Stephen. > > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: can I provide invalid HTTPS values for testing?
Named and nsupdate validate input for types they know about (both text and wire). You would have to use versions that are not HTTPS aware and use unknown type format. Mark > On 20 Jun 2024, at 11:39, Stephen Farrell wrote: > > > Hiya, > > Apologies if this is a repeat, I spent a bit of time looking > but didn't find stuff... > > I'd like to publish various HTTPS RRs with dodgy encodings > in order to test which clients handle things well or badly. > > Were it possible to use nsupdate for that, that'd make my > life simpler, but I've not found a way to do that so far. > > What I'd like to be able to do in nsupdate would be like: > > update add example.com 300 HTTPS > > Where the ascii-hex value is some (broken) variant of what > I'd get from: > > dig +unknownformat https example.com > > Is there a way to do that? > > Thanks in advance, > Stephen. > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
can I provide invalid HTTPS values for testing?
Hiya, Apologies if this is a repeat, I spent a bit of time looking but didn't find stuff... I'd like to publish various HTTPS RRs with dodgy encodings in order to test which clients handle things well or badly. Were it possible to use nsupdate for that, that'd make my life simpler, but I've not found a way to do that so far. What I'd like to be able to do in nsupdate would be like: update add example.com 300 HTTPS Where the ascii-hex value is some (broken) variant of what I'd get from: dig +unknownformat https example.com Is there a way to do that? Thanks in advance, Stephen. OpenPGP_0xE4D8E9F997A833DD.asc Description: OpenPGP public key OpenPGP_signature.asc Description: OpenPGP digital signature -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users