Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
NSD4 refuse-ANY-query patch
--- nsd-4.1.7/query.c 2015-11-18 17:50:05.000000000 +0900
+++ nsd-4.1.7-refuse-any/query.c 2016-04-09 03:34:09.312740769 +0900
@@ -677,7 +677,7 @@
assert(query);
/* Currently, only troublesome for DNSKEY and DS,
* cuz their RRSETs are quite large. */
- return (query->qtype != TYPE_DNSKEY && query->qtype != TYPE_DS);
+ return (query->qtype != TYPE_DNSKEY && query->qtype != TYPE_DS && query->qtype != TYPE_ANY);
}
static int
@@ -930,6 +930,7 @@
{
add_rrset(q, answer, ANSWER_SECTION, domain, rrset);
++added;
+ break;
}
}
if (added == 0) {
@hdais

This comment has been minimized.

Copy link
Owner Author

commented Feb 9, 2016

Description

A patch for NSD 4.1.7 to minimize ANY response as per draft-ietf-dnsop-refuse-any.
When NSD receives ANY query for existing owner name it returns a single RRSet (plus RRSIG) instead of all RRSets.
This patch doesn't synthesize HINFO. It picks only a single RRSet (plus RRSIG).

How to patch

gzip -dc nsd-4.1.7.tar.gz | tar xvf -
cd nsd-4.1.7
patch -l -p1 < ../nsd-4.1.7-refuse-any.diff
@hdais

This comment has been minimized.

Copy link
Owner Author

commented Feb 9, 2016

w/ patch

$ dig @::1 hdais.net ANY +dnssec
;; ANSWER SECTION:
hdais.net.      5   IN  SOA ns1.hdais.net. dais.hdais.net. 1460057401 10 10 604800 30
hdais.net.      5   IN  RRSIG   SOA 8 2 5 20160507183001 20160407183001 32310 hdais.net. AjjDGKev2OyBwAKHYCcxM5c8QvwJYyRvmyPzIkuyleMVVs2k/0yxEdPG3u39le3yFuYPfC57Np7FykXZkbDprDpSJcnOeBtECjxw/e4uFB935B1 X+Bw22vgRnUPCWEiC/6zSmW4Taam1bHCy2EgiQ/s9raVARB4KfM5zmVJofQr0rYNebyyUC+Uq4TkTN6mWBI+qnu/MFAV+DR9sKqLG5RSe21YlLW8 UQamAKFUXLhoIW4/98mY9AuN6B+lQTmro9W3clQI+zBCv2pwOe9yRF9E+pBF7/ftUxcUxTWfMP6AVBpg4SOt3Rz5SOpgtvYBvuM4UeCSoA5GVATe GgnKQg==

;; MSG SIZE  rcvd: 470

w/o patch

$ dig @::1 hdais.net ANY +dnssec
;; ANSWER SECTION:
hdais.net.      5   IN  SOA ns1.hdais.net. dais.hdais.net. 1460057401 10 10 604800 30
hdais.net.      0   IN  NSEC3PARAM 1 0 0 DEADBEEF
hdais.net.      5   IN  DNSKEY  257 3 8 AwEAAb2UmrsgRp7NRC0r3F4pgt+cq535MKrHlpN70LhTztZ67RQdgE1L y/Yz+xiztqCyxqz+JoMBQsBAKOCTtUKHd/xYHBEV+zu8GrN7pJD/XRqORNgMuO00LhOgAL90gEQxTopBsUmH4Ofu8XqBZXxQwiV5lzOnyXoU4t+lknuAIjiPqwX1iK1w/omKmZrlf12QdivQFocgL1x3r+b+m3WVBg/JoJ3xBmdoy1t0baZ3t2TcZMYdRCpLUrXgkFpZEIllMaKxE8AmCx4+brMhd+fQ1cpjF3BLcsNdEFYaIHnqf9khPY3MS9WwOPtk+B58mgWProCxVF8ZbrL4 OK6/t/5hAm8=
hdais.net.      5   IN  DNSKEY  256 3 8 AwEAAdHOO8NyfvzpJ16gvcpu8w4eCKRbwP+R9wlXOXDujFKeMRE/kXqn r6p9nuae4yzKQhav47fI48g3n+qkpAmmbVm2q7DW5f9ayft0f+2zcixEJcPCOgcJG0AyJNK7z0EHik6vWS8PrDs9jjLJ3QDIEUyQkYN4yVN3Hz4IKOSld5pquKpZu6c49wXF0P3wMkHycdbiL8+TERwopmh4nYOE6kIS1myrLZcrg4zeO1z0wDyxmYodqMsMyLla+5J2KHS1GtEhVxB/0D7EzR2JDn7/ XxVzJkb1gZr0XUBlRo9ijZw2YAjKrMaIYlKZk2BvztDvHvIHGQFv19re K4o7XOYcYtc=
hdais.net.      5   IN  DNSKEY  256 3 8 AwEAAcIwn7RdxIsFmGp+PgEKjTFK1o8py1nYtfcALMp4ReOZhLiqTnAX7IAEHn6GqejHf2YruNAjXR3CxazjFPFZKPOUi2NEPYBvaeC5Z3ZGYexn KWNToExyLa9fsAeyu9NdZqGF9LIblkDSku9z8XdbUSgCp2L1/rzpquZzUQ5siLiN0aNSwKue9ixbevqswuKHSwks5yZftr2qND7TXHK38JBTvgMu ksqyr3oU+O8ArZOhj28x/+bfCRps48l7r/s68CaLH2vSO274BKhr8YBn Z9kfTm/1EpJcutuaz53iSZWTCDNj1+Ni9UyXfTqxWw2AbB/yZfVYjKZX HjFOgoiewac=
(snip)

;; MSG SIZE  rcvd: 4439
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.