From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] test if nameservers with DNSSEC support return "ad"-flagged data Date: Mon, 22 Jan 2018 13:51:06 +0000 Message-ID: <1516629066.3647.190.camel@ipfire.org> In-Reply-To: <20180120162509.7b128413.peter.mueller@link38.eu> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8754564302661759987==" List-Id: --===============8754564302661759987== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, basically this patch works. But I have a few issues I would like to point out and use as a bit of an exercise for everyone. On Sat, 2018-01-20 at 16:25 +0100, Peter M=C3=BCller wrote: > DNSSEC-validating nameservers return an "ad" (Authenticated Data) > flag in the DNS response header. This can be used as a negative > indicator for DNSSEC validation: In case a nameserver does not > return the flag, but failes to look up a domain with an invalid > signature, it does not support DNSSEC validation. >=20 > This makes it easier to detect nameservers which do not fully > comply to the RFCs or try to tamper DNS queries. >=20 > See bug #11595 (https://bugzilla.ipfire.org/show_bug.cgi?id=3D11595) for fu= rther > details. >=20 > Signed-off-by: Peter M=C3=BCller > --- > src/initscripts/system/unbound | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) >=20 > diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound > index 4e7e63e5f..410631f86 100644 > --- a/src/initscripts/system/unbound > +++ b/src/initscripts/system/unbound > @@ -364,7 +364,12 @@ ns_is_validating() { > local ns=3D${1} > shift > =20 > - dig @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL > + if ! dig @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL; then > + return 1 > + else > + # Determine if NS replies with "ad" data flag if DNSSEC > enabled > + dig @${ns} +dnssec SOA ${TEST_DOMAIN} $@ | grep "\;\;\ > flags:" | awk -F\: '{ print $2 }' | awk -F\; '{ print $1 }' | grep -q "\ ad" > + fi a) Parsing the human-readable output of a tool is always a bad idea. It might change or change just one character and the entire chain doesn't work any mor= e. Let's hope we will notice that before our users do. b) There is no need to use grep here. awk can grep like this: awk /\;\; flags:/ -F: '{ print $2 }' That will save you from calling grep here which increases performance. Using = awk and grep is also not really a good idea because every subprocess takes ages to execute. The network code in IPFire 3 doesn't use awk at all and grep in rare cases. https://git.ipfire.org/?p=3Dnetwork.git&a=3Dsearch&h=3DHEAD&st=3Dgrep&s=3Dg= rep https://git.ipfire.org/?p=3Dnetwork.git&a=3Dsearch&h=3DHEAD&st=3Dgrep&s=3Da= wk But to not complicate the code too much we can use awk here. But there is no need for grep. > } > =20 > # Checks if we can retrieve the DNSKEY for this domain. Best, -Michael --===============8754564302661759987== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUU1L3JXNWwzR0dl Mnlwa3R4Z0hudy8yK1FDUWNGQWxwbDdFb0FDZ2tRZ0hudy8yK1EKQ1FjVCtnLy9aTEdEenBWT1hV dlowQ2VaUjVOUDMvNFRrclVHMjRFTDZ2Z2lXUWxmaHRGbGhsc0lneWJkTWlTeApxc1hwUU1YTjlh Z2JSaDJSZWJZeXdHWGtNaDJKaFRYMVg4cGc5WnBkdDN5UytzcjVMNVFBb2h3SHZjOTF5em5iClVw QWJBSU8zK09RTXhaaDFTNlFFeXY3YmFYTW5OQTdDN1p3R2N6QUZMenBzVEtjTEQyWVVCcFdvdGwy TStRR04KblZVTWI2KzM4YStHLyt0cFZRdFlUM2lPY2REWWdVbVE2S2JSM3AwWFJteDQxRkhnSnNy Zk5MT1p5OTZDaTJrMQpIVlFHbUl0QzFPZ3ZNeEVFNlZMclBiWFlDMXRtb0RiUmtudE01Z1BPcUFB Qm9nbS95WFFnK3V4V1ozVmxxbDBVClh3bm9PRWwyY25hNHFMTWJ5UlZuUzRwODBPbUhySFVtSHE1 OTY4RWM2MjhRSDZaMktaM0U3V0l4N3h6b2pTeWUKUUlKOXV5TEZvV2ZkamRKYzM2OCs3K2tmYXV4 VGZIWmVieG1RV1V4OUgrdTIrNWkyQm03T3hJcWYvSmhhTnNtOQpONDdISEYrTm1VaEs0bnVnNldC TnhJTVFSbDRDSklSTEhEcHZMMXhYT29jaWNLYUdGVzJnMnR6NEtMYjJodUwvCkR4TU54LyttY3Fu am0wWkJEWFFEYXNaWmdCYmwxQXFOdjNDVjNiTFcxNGRqUDNMUEJFZDBUMzJyQ05jVE4zTDQKSEV3 V0VFMjRmL01rT1RPVnBQSGozVG9NTjdtSjNoZ1gwYnZYQTFETm1seTNZMndXVEpmRjl5NU0xTVZB TmxpcgptSVR4c0VrRTVyY0Fab0k4ZEFpRVpBWmVyUWdMRkcycXg1clN2MVBPZ2NzM2VBeFNFWkU9 Cj1WWGJuCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============8754564302661759987==--