I think that looks like a sensible change. I'm slightly worried about
the definition of EDE_FILTERED
4.18. Extended DNS Error Code 17 - Filtered
The server is unable to respond to the request because the domain is
on a blocklist as requested by the client. Functionally, this
amounts to "you requested that we filter domains like this one."
Which talks about domains and not RRtypes. You can imagine a client
noting that a domain is filtered and not sending other queries for the
domain, when in this case they are fine, it's the RRtype which is being
filtered.
Simon.
On 16/03/2023 20:58, Petr Menšík wrote:
Hi!
I have raised filtering topic on DNS-OARC chat. One of proposals were to
mark at least filtered records by EDE status, which current dnsmasq
supports already. I like it. We create fake answer on when --filter-A or
--filter-AAAA options is used. It should be marked somehow.
There is also proposal for more verbose error and contact information
[1], but at least marking the response somehow synthetized is a good
start. I attached a change to rrfilter to report number of modified
records. Then it marks any filtered response with Filtered EDE code. I
expect the same should be possible for any other record type filtered,
except EDNS0 and DNSSEC records.
Credits for the idea goes to Vladimír Čunát. It might allow potential
DNSSEC validator to not emit SERVFAIL on bogus answer we made. If that
would trust our response for any reason.
What do you think?
By the way, maybe we should strip also RRSIG for those records if
present. It looks like a bug to me. But would not make validating
resolvers more happy anyway.
; <<>> DiG 9.18.12 <<>> -4 @localhost -p 2053 example.org a +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21029
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1220
; COOKIE: b2ad85a9275d948e02176a79641381dce6990a257f089ec5 (good)
; EDE: 17 (Filtered)
;; QUESTION SECTION:
;example.org. IN A
;; ANSWER SECTION:
example.org. 32748 IN RRSIG A 8 2 86400 20230323193411
20230302075235 43798 example.org.
QwrK73kR5vStRzG6IPOpYU2exzSIOatl1p8DffKi4PP2Ig8yAL43AhVu
2bsA0I0EFINH3xvF2IiM7eyR/fMm8rfeAsG1pokOFOOhlYQQHhglgfu6
mgNJnFrHUs3M+JNBNyAay42aSSDt5gXcvk77nx32uWv40pfknU7wH2Xc rP4=
[1] https://datatracker.ietf.org/doc/draft-ietf-dnsop-structured-dns-error/
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
