Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FR] Support for RESINFO RRType 261 (RFC9606) #1207

Open
mdavids opened this issue Dec 18, 2024 · 4 comments
Open

[FR] Support for RESINFO RRType 261 (RFC9606) #1207

mdavids opened this issue Dec 18, 2024 · 4 comments
Assignees
@gthess
Milestone
Future release

Comments

@mdavids
Copy link

mdavids commented Dec 18, 2024

Current behavior
It seems that the RFC9606 RESINFO RRType 261 is not yet supported.
(I checked version 1.22.0)

Describe the desired feature
Support RESINFO RRType

Potential use-case
For example to be able to use it in local-data, like:

local-data: 'resolver.arpa RESINFO "qnamemin temp-dnssecval infourl=https://example.nl"'
gthess added a commit that referenced this issue Dec 20, 2024
@gthess
- For #1207: [FR] Support for RESINFO RRType 261 (RFC9606), add
e57e537 
  LDNS_RR_TYPE_RESINFO similar to LDNS_RR_TYPE_TXT.
@gthess gthess self-assigned this Dec 20, 2024
@gthess gthess added this to the Future release milestone Dec 20, 2024
@gthess
Copy link
Member

gthess commented Dec 20, 2024

Hi @mdavids,

I added the RESINFO type, so the potential use-case can be used in the configuration.

However I believe this needs a second pass in the future (why I leave the issue open atm), to properly address the RFC.
With that in mind, Unbound needs to intercept the RESINFO type (because it could be any name AFAIK) and, if enabled to reply, give out the information or refuse otherwise. It would be possible to custom configure the contents of the record to accommodate for unknown keys like temp-dnsseceval in your example.

@mdavids
Copy link
Author

mdavids commented Dec 20, 2024
edited
Loading

Thank you for doing this. And I appreciate you leave the issue open for a second pass.

I've been thinking about this as well, as the RFC raises some questions with me. It might perhaps be a bit ambiguous.

The RFC says that a client: "MUST set the RD bit to 0 and MUST discard the response if the AA flag in the response is set to 0".

The 'local-data method' seems to provide the proper response under these conditions (I tested it with TXT, for the lack of RESINFO), so that could be sufficient. But maybe you can think of better ways to implement RFC9606-support in Unbound?

To me RFC9606 has some resemblance with RFC4892 ("id.server"), but then again, maybe not. It seems okay to forward any RESINFO queries when there is no local-data or similar 'interception mechanism' defined, given the RD and AA requirements mentioned above. But I'm still a bit puzzled here.

Anyway... You might want to test this in real life with DNS4ALL, where we made an attempt to implement it:

dig +https +norec @resolver.dns4all.eu RESINFO resolver.dns4all.eu

dig +https +norec @resolver.dns4all.eu RESINFO resolver.arpa

With and without RD-bit, to see the difference. What do you think?

Also, please note the DoH-option, which is one of two REQUIRED options mentioned in the _Security Consideration_s section. The other one is 'local DNSSEC validation', which I don't quite understand (we do not prohibit Do53 however, because we don't care).

@gthess
Copy link
Member

gthess commented Dec 20, 2024

The RFC says that a client: "MUST set the RD bit to 0 and MUST discard the response if the AA flag in the response is set to 0".

I believe the part about the AA flag is so that client is sure the reply is coming from the resolver itself.
The part about the RD is for the resolver to not try and process/forward that further if it doesn't know about RESINFO.

So I believe if your resolver knows about RESINFO, it can reply with the AA flag and don't care about the client RD bit because it will never try to resolve it in the first place.

To me RFC9606 has some resemblance with RFC4892 ("id.server"), but then again, maybe not. It seems okay to forward any RESINFO queries when there is no local-data or similar 'interception mechanism' defined, given the RD and AA requirements mentioned above. But I'm still a bit puzzled here.

Actually this is exactly how I was planning to implement this. Intercept the RESINFO type regardless of the qname and return back the information depending how Unbound is configured. If no information is to be returned, refused would be used. But since Unbound would know about RESINFO, it will never process the query further.

The other one is 'local DNSSEC validation', which I don't quite understand (we do not prohibit Do53 however, because we don't care).

I don't think that DNSSEC can help in practice. For sure you can't sign resolver.arpa, and having signed information in a zone-ish thing does not mean that the resolver that happens to serve that record has those capabilities. It would also be an operational nightmare I suppose.
So transport security does help for the client, but the resolver can just answer with RESINFO anywhere.

Btw I am thinking along these lines for configuration (also note to self):

server:
    ...
    resinfo: yes
    resinfo-qnamemin: yes
    resinfo-exterr: yes
    resinfo-exterr-override: "<provide own values for the exterr key>"
    resinfo-infourl: ""
    resinfo-override: "<a whole custom RESINFO record, it will override everything>"
    resinfo-additional: "<additional data to include, like temp-dnsseceval"
    ...

@mdavids
Copy link
Author

mdavids commented Dec 20, 2024

FYI: please note that I did not make up 'temp-dnsseceval' entirely out of the blue:

https://datatracker.ietf.org/doc/draft-bortzmeyer-add-resinfo-dnssecval-dns64/

jedisct1 added a commit to jedisct1/unbound that referenced this issue Dec 26, 2024
@jedisct1
Merge remote-tracking branch 'nlnet/master'
074ee24 
* nlnet/master:
  - For NLnetLabs#1207: [FR] Support for RESINFO RRType 261 (RFC9606), add   LDNS_RR_TYPE_RESINFO similar to LDNS_RR_TYPE_TXT.
  Changelog entry for NLnetLabs#1204: - Merge NLnetLabs#1204: ci: set persist-credentials: false for actions/checkout   per zizmor suggestion.
  set persist-credentials: false per zizmor suggestion
  - Fix typo in log_servfail.tdir test.
  Changelog entry for NLnetLabs#1187: - Merge NLnetLabs#1187: Create the SSL_CTX for QUIC before chroot and privilege   drop.
  Create the SSL_CTX for QUIC before chroot and privilege drop (NLnetLabs#1187)
  - Safeguard alias loop while looking in the cache for expired answers.
  - Merge NLnetLabs#1198: Fix log-servfail with serve expired and no useful cache   contents.
  - For NLnetLabs#1175, the default value of serve-expired-ttl is set to 86400   (1 day) as suggested by RFC8767.
  Changelog entry for NLnetLabs#1189, NLnetLabs#1197: - Merge NLnetLabs#1189: Fix the dname_str method to cause conversion errors   when the domain name length is 255. - Merge NLnetLabs#1197: dname_str() fixes.
  - For NLnetLabs#1193, introduce log-servfail.tdir and cleanup the log-servfail   setting from other tests.
  - Fix NLnetLabs#1193: log-servfail fails to log host SERVFAIL responses in   Unbound 1.19.2 on Ubuntu 24.04.1 LTS, by not considering cached   failures when trying to reply with expired data.
  - For NLnetLabs#1189, homogenize the input buffer size for dname_str().
  - For NLnetLabs#1189, add unit tests for dname_str() and debug check the input   buffer size.
  Fix the dname_str method to cause conversion errors when the domain name length is 255
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gthess gthess

Labels
None yet
Projects
None yet
Milestone
Future release
Development

No branches or pull requests
2 participants
@mdavids @gthess