-
Notifications
You must be signed in to change notification settings - Fork 917
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
auth udp: use stubDoResolve for ALIAS #14594
base: master
Are you sure you want to change the base?
Conversation
Pull Request Test Coverage Report for Build 11049952298Details
💛 - Coveralls |
e9c86c0
to
69fde7f
Compare
95880fa
to
312119e
Compare
this emits A+RRSIG for me, very nice. Did not verify the signature but I'm confident. |
haven't found anything yet! We'll need tests though |
I took the passing of the existing ALIAS tests as good enough. If you have something specific to test in mind, please let me know! |
oh. I didn't even check if we had those :D I'll have a look, testing the DNSSEC bits would probably be nice now. |
Does that mean that this PR also solves the problem of signing ALIAS responses? |
sure feels that way. Please test and give us your opinion :)
the existing tests are good besides, indeed, the DNSSEC thing. We test plenty of DNSSEC in |
oohh "Dnspython can do simple DNSSEC signature validation and signing." |
Now with DNSSEC tests using dnspython. |
6ae28d7
to
d127b24
Compare
I like the idea of dnssec and ALIAS. There is however something you cannot ignore. Using stubDoResolve will make ALIAS much more sensitive to exhausting all available backends. There are similarities wit LUA but the big difference with ALIAS is it's legacy. ALIAS is deployed in many places and is hand out to customers. Hopefully this didn't happen for LUA records ;) |
Yeah that was also my concern. But I guess one can a) get more backends and b) employ ratelimiting in front and also behind the auth. |
Given that the diff to packethandler itself is quite small, I wonder if we can give users the choice between 'old' (dnsproxy) and 'new' (stubDoResolve) |
Seems possible, but code and test complexity will go up. I can type it in, if we know we want this. |
understood
if people have existing deployments where users have the ability to enter ALIASed names (which I'm sure they do), I'm afraid @mind04's concerns are relevant. I did not think about existing users enough, before. |
What exactly is the problem with stubDoResolve and the Backends? Why does resolving a domain requires a backend? |
in this PR, the resolving happens synchronously inside the distributor thread, which has a database connection open |
"synchronously" sounds bad. Was the old code also synchronously or asynchronous? |
The old code was asynchronous, which is why doing DNSSEC there was so hard it never happened. |
That's bad. Having a zone with
and someone doing <random>.example.com with a few queries per second can cause a DoS attack. Do we have the same problem already if the incoming queries use TCP? |
No, only in the AXFR path. |
d127b24
to
b1726e0
Compare
Short description
Implements @Habbie's "alternate outcome" from #13039.
Somebody please tell me what is wrong with this :)
Checklist
I have: