-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ignore DNSKEY RRs with incalculable key sizes #135
Conversation
The `se` and `nic.se` zones have evolved a little. The tests made over the network using these zones have been slightly updated to fix errors and be aligned with current zone configuration.
a896431
to
2dac323
Compare
2dac323
to
95f1c1e
Compare
I rebased onto the "Split section accessors into XS and Perl parts" commit from #136 in order to make the conflict resolution simpler when merging the second one. |
95f1c1e
to
0b45f9d
Compare
How does this PR relate to #136? I see similar or identical changes in both. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be fine, but unrelated changes should move to another PR.
ok( $rr->keytag == 59747 or $rr->keytag == 59407 ); | ||
# .SE KSK should not change very often. 59407 has replaced 59747. | ||
# Now (February 2022) only 59407 is used. | ||
ok( $rr->keytag == 59407 ); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not related to this PR as defined in the description. Move this to a separate PR. More of that below.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice! Tanks for the detailed description and documentation. I agree it would be nice to have better messages. In the meantime this is good to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, a welcome change
That’s odd: according to my testing, the unit tests pass, but by following the testing procedure in this PR, I still get crashes. I saved
Yet I could verify that my Docker image had indeed the modified version of Zonemaster::LDNS. What’s even stranger, is that running the same test against the current state of
Maybe |
It seems that In that file, I found one instance of a DNSKEY record that is completely empty (i.e. with zero RDLENGTH, and thus zero fields out of the required four) instead of only missing its public key. Out of curiosity, I added the following unit test to # Contains a DNSKEY RR that is completely empty (i.e. has zero
# fields out of the required 4)
subtest 'malformed RR: completely empty' => sub {
my $data = decode_base64( "BleFgAABAAEAAAAADW5sYWdyaWN1bHR1cmUCbmwAAAEAAcAMADAAAQAAAAAAAA==");
my $p = Zonemaster::LDNS::Packet->new_from_wireformat( $data );
my ( $rr, @extra ) = $p->answer_unfiltered;
eq_or_diff \@extra, [], "no extra RRs found";
if ( !defined $rr ) {
BAIL_OUT( "no RR found" );
}
is $rr->keydata, "", "empty DNSKEY RR yields empty keydata";
is $rr->keysize, -1, "empty DNSKEY RR yields keysize of -1";
} This triggered the exact assertion failure I saw when running my tests with So, in a nutshell:
So, in the end, this PR looks good to me; only the “how to test this PR” was wrong, because the unit tests were sufficient. But it does also mean that someone should fuzz test LDNS. |
Purpose
This PR makes us ignore DNSKEY RRs with empty public key fields instead of crashing.
Context
Fixes #110.
Implements the specification updates from zonemaster/zonemaster#1041.
Changes
-1
sentinel value instead of crashing or returning a negative number of bits.How to test this PR
A test case is provided in #110.
Notes
After this PR when a zone with a single bad DNSKEY whose key size is incalculable, we get the following behaviors:
In principle I believe these are reasonable behaviors, but at least some of the tag names are a bit misleading. Especially the word "response" is unfortunate in this context. Perhaps it would also make sense to qualify "dnskey" with the adjective "valid" since there might actually be an RR in the answer section with the DNSKEY type that just happens to be broken enough that it is ignored.