Last active
April 9, 2017 20:35
-
-
Save hdais/25cb3fc86335026d40f0 to your computer and use it in GitHub Desktop.
NSD4 refuse-ANY-query patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- nsd-4.1.7/query.c 2015-11-18 17:50:05.000000000 +0900 | |
| +++ nsd-4.1.7-refuse-any/query.c 2016-04-09 03:34:09.312740769 +0900 | |
| @@ -677,7 +677,7 @@ | |
| assert(query); | |
| /* Currently, only troublesome for DNSKEY and DS, | |
| * cuz their RRSETs are quite large. */ | |
| - return (query->qtype != TYPE_DNSKEY && query->qtype != TYPE_DS); | |
| + return (query->qtype != TYPE_DNSKEY && query->qtype != TYPE_DS && query->qtype != TYPE_ANY); | |
| } | |
| static int | |
| @@ -930,6 +930,7 @@ | |
| { | |
| add_rrset(q, answer, ANSWER_SECTION, domain, rrset); | |
| ++added; | |
| + break; | |
| } | |
| } | |
| if (added == 0) { |
w/ patch
$ dig @::1 hdais.net ANY +dnssec
;; ANSWER SECTION:
hdais.net. 5 IN SOA ns1.hdais.net. dais.hdais.net. 1460057401 10 10 604800 30
hdais.net. 5 IN RRSIG SOA 8 2 5 20160507183001 20160407183001 32310 hdais.net. AjjDGKev2OyBwAKHYCcxM5c8QvwJYyRvmyPzIkuyleMVVs2k/0yxEdPG3u39le3yFuYPfC57Np7FykXZkbDprDpSJcnOeBtECjxw/e4uFB935B1 X+Bw22vgRnUPCWEiC/6zSmW4Taam1bHCy2EgiQ/s9raVARB4KfM5zmVJofQr0rYNebyyUC+Uq4TkTN6mWBI+qnu/MFAV+DR9sKqLG5RSe21YlLW8 UQamAKFUXLhoIW4/98mY9AuN6B+lQTmro9W3clQI+zBCv2pwOe9yRF9E+pBF7/ftUxcUxTWfMP6AVBpg4SOt3Rz5SOpgtvYBvuM4UeCSoA5GVATe GgnKQg==
;; MSG SIZE rcvd: 470
w/o patch
$ dig @::1 hdais.net ANY +dnssec
;; ANSWER SECTION:
hdais.net. 5 IN SOA ns1.hdais.net. dais.hdais.net. 1460057401 10 10 604800 30
hdais.net. 0 IN NSEC3PARAM 1 0 0 DEADBEEF
hdais.net. 5 IN DNSKEY 257 3 8 AwEAAb2UmrsgRp7NRC0r3F4pgt+cq535MKrHlpN70LhTztZ67RQdgE1L y/Yz+xiztqCyxqz+JoMBQsBAKOCTtUKHd/xYHBEV+zu8GrN7pJD/XRqORNgMuO00LhOgAL90gEQxTopBsUmH4Ofu8XqBZXxQwiV5lzOnyXoU4t+lknuAIjiPqwX1iK1w/omKmZrlf12QdivQFocgL1x3r+b+m3WVBg/JoJ3xBmdoy1t0baZ3t2TcZMYdRCpLUrXgkFpZEIllMaKxE8AmCx4+brMhd+fQ1cpjF3BLcsNdEFYaIHnqf9khPY3MS9WwOPtk+B58mgWProCxVF8ZbrL4 OK6/t/5hAm8=
hdais.net. 5 IN DNSKEY 256 3 8 AwEAAdHOO8NyfvzpJ16gvcpu8w4eCKRbwP+R9wlXOXDujFKeMRE/kXqn r6p9nuae4yzKQhav47fI48g3n+qkpAmmbVm2q7DW5f9ayft0f+2zcixEJcPCOgcJG0AyJNK7z0EHik6vWS8PrDs9jjLJ3QDIEUyQkYN4yVN3Hz4IKOSld5pquKpZu6c49wXF0P3wMkHycdbiL8+TERwopmh4nYOE6kIS1myrLZcrg4zeO1z0wDyxmYodqMsMyLla+5J2KHS1GtEhVxB/0D7EzR2JDn7/ XxVzJkb1gZr0XUBlRo9ijZw2YAjKrMaIYlKZk2BvztDvHvIHGQFv19re K4o7XOYcYtc=
hdais.net. 5 IN DNSKEY 256 3 8 AwEAAcIwn7RdxIsFmGp+PgEKjTFK1o8py1nYtfcALMp4ReOZhLiqTnAX7IAEHn6GqejHf2YruNAjXR3CxazjFPFZKPOUi2NEPYBvaeC5Z3ZGYexn KWNToExyLa9fsAeyu9NdZqGF9LIblkDSku9z8XdbUSgCp2L1/rzpquZzUQ5siLiN0aNSwKue9ixbevqswuKHSwks5yZftr2qND7TXHK38JBTvgMu ksqyr3oU+O8ArZOhj28x/+bfCRps48l7r/s68CaLH2vSO274BKhr8YBn Z9kfTm/1EpJcutuaz53iSZWTCDNj1+Ni9UyXfTqxWw2AbB/yZfVYjKZX HjFOgoiewac=
(snip)
;; MSG SIZE rcvd: 4439
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
A patch for NSD 4.1.7 to minimize ANY response as per draft-ietf-dnsop-refuse-any.
When NSD receives ANY query for existing owner name it returns a single RRSet (plus RRSIG) instead of all RRSets.
This patch doesn't synthesize HINFO. It picks only a single RRSet (plus RRSIG).
How to patch