On Sun, Jul 03, 2022 at 07:47:27AM +0200, Florian Obser wrote:
> anyone?
Looks good and works for me, ok.
-Otto
>
> On 2022-06-25 13:15 +02, Florian Obser <flor...@openbsd.org> wrote:
> > See https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-https/
> >
> > $ ./obj/dig @8.8.8.8 +norec _dns.resolver.arpa svcb
> >
> > ; <<>> dig 9.10.8-P1 <<>> @8.8.8.8 +norec _dns.resolver.arpa svcb
> > ; (1 server found)
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21245
> > ;; flags: qr aa ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 4
> >
> > ;; QUESTION SECTION:
> > ;_dns.resolver.arpa. IN SVCB
> >
> > ;; ANSWER SECTION:
> > _dns.resolver.arpa. 86400 IN SVCB 1 dns.google. alpn="dot"
> > _dns.resolver.arpa. 86400 IN SVCB 2 dns.google. alpn="h2,h3"
> > dohpath="/dns-query{?dns}"
> >
> > ;; ADDITIONAL SECTION:
> > dns.google. 86400 IN A 8.8.8.8
> > dns.google. 86400 IN A 8.8.4.4
> > dns.google. 86400 IN AAAA 2001:4860:4860::8888
> > dns.google. 86400 IN AAAA 2001:4860:4860::8844
> >
> > ;; Query time: 11 msec
> > ;; SERVER: 8.8.8.8#53(8.8.8.8)
> > ;; WHEN: Sat Jun 25 13:08:21 CEST 2022
> > ;; MSG SIZE rcvd: 224
> >
> > $ ./obj/dig +dnssec cloudflare.com https
> >
> > ; <<>> dig 9.10.8-P1 <<>> +dnssec cloudflare.com https
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22508
> > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
> >
> > ;; QUESTION SECTION:
> > ;cloudflare.com. IN HTTPS
> >
> > ;; ANSWER SECTION:
> > cloudflare.com. 217 IN HTTPS 1 . alpn="h3,h3-29,h2"
> > ipv4hint=104.16.132.229,104.16.133.229
> > ipv6hint=2606:4700::6810:84e5,2606:4700::6810:85e5
> > cloudflare.com. 217 IN RRSIG HTTPS 13 2 300 20220626120906
> > 20220624100906 34505
> > cloudflare.com. PbQwTGVBW2MIXubouK2vUo92UNvlJ874KCrqah/Or21Jo2oDxfgI15jA
> > 8z/Q6mseLPWIlTxex+KoIqv9y+FNjg==
> >
> > ;; Query time: 0 msec
> > ;; SERVER: 127.0.0.1#53(127.0.0.1)
> > ;; WHEN: Sat Jun 25 13:10:29 CEST 2022
> > ;; MSG SIZE rcvd: 221
> >
> > OK?
>
> diff --git lib/dns/include/dns/types.h lib/dns/include/dns/types.h
> index 63ea8d67f51..7085ce29f2e 100644
> --- lib/dns/include/dns/types.h
> +++ lib/dns/include/dns/types.h
> @@ -139,6 +139,8 @@ enum {
> dns_rdatatype_openpgpkey = 61,
> dns_rdatatype_csync = 62,
> dns_rdatatype_zonemd = 63,
> + dns_rdatatype_svcb = 64,
> + dns_rdatatype_https = 65,
> dns_rdatatype_spf = 99,
> dns_rdatatype_unspec = 103,
> dns_rdatatype_nid = 104,
> diff --git lib/dns/rdata.c lib/dns/rdata.c
> index c27409efc3c..d731eb3a846 100644
> --- lib/dns/rdata.c
> +++ lib/dns/rdata.c
> @@ -775,6 +775,7 @@ dns_rdatatype_fromtext(dns_rdatatype_t *typep,
> isc_textregion_t *source) {
> {"gpos", 27},
> {"hinfo", 13},
> {"hip", 55},
> + {"https", 65},
> {"ipseckey", 45},
> {"isdn", 20},
> {"ixfr", 251},
> @@ -822,6 +823,7 @@ dns_rdatatype_fromtext(dns_rdatatype_t *typep,
> isc_textregion_t *source) {
> {"spf", 99},
> {"srv", 33},
> {"sshfp", 44},
> + {"svcb", 64},
> {"ta", 32768},
> {"talink", 58},
> {"tkey", 249},
> @@ -1006,6 +1008,10 @@ dns_rdatatype_totext(dns_rdatatype_t type,
> isc_buffer_t *target) {
> return (isc_str_tobuffer("CSYNC", target));
> case 63:
> return (isc_str_tobuffer("ZONEMD", target));
> + case 64:
> + return (isc_str_tobuffer("SVCB", target));
> + case 65:
> + return (isc_str_tobuffer("HTTPS", target));
> case 99:
> return (isc_str_tobuffer("SPF", target));
> case 100:
> diff --git lib/dns/rdata/in_1/https_65.c lib/dns/rdata/in_1/https_65.c
> new file mode 100644
> index 00000000000..23d80f8d352
> --- /dev/null
> +++ lib/dns/rdata/in_1/https_65.c
> @@ -0,0 +1,48 @@
> +/*
> + * Copyright (C) 2022 Florian Obser <flor...@openbsd.org>
> + *
> + * Permission to use, copy, modify, and/or distribute this software for any
> + * purpose with or without fee is hereby granted, provided that the above
> + * copyright notice and this permission notice appear in all copies.
> + *
> + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
> + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
> MERCHANTABILITY
> + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
> + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
> FROM
> + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
> + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
> + * PERFORMANCE OF THIS SOFTWARE.
> + */
> +
> +/* draft-ietf-dnsop-svcb-https-10 */
> +
> +#ifndef RDATA_IN_1_HTTPS_65_C
> +#define RDATA_IN_1_HTTPS_65_C
> +
> +static inline isc_result_t
> +totext_in_https(ARGS_TOTEXT) {
> + REQUIRE(rdata->type == dns_rdatatype_https);
> + REQUIRE(rdata->rdclass == dns_rdataclass_in);
> + REQUIRE(rdata->length != 0);
> +
> + return (totext_in_svcb_https(rdata, tctx, target));
> +}
> +
> +static inline isc_result_t
> +fromwire_in_https(ARGS_FROMWIRE) {
> + REQUIRE(type == dns_rdatatype_https);
> + REQUIRE(rdclass == dns_rdataclass_in);
> + return (fromwire_in_svcb_https(rdclass, type, source, dctx, options,
> + target));
> +}
> +
> +static inline isc_result_t
> +towire_in_https(ARGS_TOWIRE) {
> + REQUIRE(rdata->type == dns_rdatatype_https);
> + REQUIRE(rdata->length != 0);
> +
> + return (towire_in_svcb_https(rdata, cctx, target));
> +}
> +
> +
> +#endif /* RDATA_IN_1_HTTPS_65_C */
> diff --git lib/dns/rdata/in_1/svcb_64.c lib/dns/rdata/in_1/svcb_64.c
> new file mode 100644
> index 00000000000..721289bc6c8
> --- /dev/null
> +++ lib/dns/rdata/in_1/svcb_64.c
> @@ -0,0 +1,309 @@
> +/*
> + * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
> + * Copyright (C) 2022 Florian Obser <flor...@openbsd.org>
> + *
> + * Permission to use, copy, modify, and/or distribute this software for any
> + * purpose with or without fee is hereby granted, provided that the above
> + * copyright notice and this permission notice appear in all copies.
> + *
> + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
> + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
> MERCHANTABILITY
> + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
> + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
> FROM
> + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
> + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
> + * PERFORMANCE OF THIS SOFTWARE.
> + */
> +
> +/* $Id: srv_33.c,v 1.13 2020/09/14 08:40:44 florian Exp $ */
> +
> +/* draft-ietf-dnsop-svcb-https-10, based on srv_33.c */
> +
> +#ifndef RDATA_IN_1_SVCB_64_C
> +#define RDATA_IN_1_SVCB_64_C
> +
> +#define SVC_PARAM_MANDATORY 0
> +#define SVC_PARAM_ALPN 1
> +#define SVC_PARAM_NO_DEF_ALPN 2
> +#define SVC_PARAM_PORT 3
> +#define SVC_PARAM_IPV4HINT 4
> +#define SVC_PARAM_ECH 5
> +#define SVC_PARAM_IPV6HINT 6
> +#define SVC_PARAM_DOHPATH 7
> +
> +static inline const char*
> +svc_param_key_to_text(uint16_t key)
> +{
> + static char buf[sizeof "key65535"];
> +
> + switch (key) {
> + case SVC_PARAM_MANDATORY:
> + return ("mandatory");
> + case SVC_PARAM_ALPN:
> + return ("alpn");
> + case SVC_PARAM_NO_DEF_ALPN:
> + return ("no-default-alpn");
> + case SVC_PARAM_PORT:
> + return ("port");
> + case SVC_PARAM_IPV4HINT:
> + return ("ipv4hint");
> + case SVC_PARAM_ECH:
> + return ("ech");
> + case SVC_PARAM_IPV6HINT:
> + return ("ipv6hint");
> + case SVC_PARAM_DOHPATH:
> + return ("dohpath");
> + default:
> + snprintf(buf, sizeof buf, "key%u", key);
> + return (buf);
> + }
> +}
> +
> +static inline isc_result_t
> +totext_in_svcb_https(ARGS_TOTEXT) {
> + isc_region_t region;
> + dns_name_t name;
> + dns_name_t prefix;
> + int sub;
> + char buf[sizeof "xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:255.255.255.255"];
> + unsigned short num;
> +
> + dns_name_init(&name, NULL);
> + dns_name_init(&prefix, NULL);
> +
> + /*
> + * Priority.
> + */
> + dns_rdata_toregion(rdata, ®ion);
> + num = uint16_fromregion(®ion);
> + isc_region_consume(®ion, 2);
> + snprintf(buf, sizeof buf, "%u", num);
> + RETERR(isc_str_tobuffer(buf, target));
> + RETERR(isc_str_tobuffer(" ", target));
> +
> + /*
> + * Target.
> + */
> + dns_name_fromregion(&name, ®ion);
> + isc_region_consume(®ion, name_length(&name));
> + sub = name_prefix(&name, tctx->origin, &prefix);
> + RETERR(dns_name_totext(&prefix, sub, target));
> +
> + while (region.length > 0) {
> + isc_region_t val_region;
> + uint16_t svc_param_key, svc_param_value_len, man_key, port;
> +
> + RETERR(isc_str_tobuffer(" ", target));
> +
> + svc_param_key = uint16_fromregion(®ion);
> + isc_region_consume(®ion, 2);
> +
> + svc_param_value_len = uint16_fromregion(®ion);
> + isc_region_consume(®ion, 2);
> +
> + RETERR(isc_str_tobuffer(svc_param_key_to_text(svc_param_key),
> + target));
> +
> + val_region = region;
> + val_region.length = svc_param_value_len;
> +
> + isc_region_consume(®ion, svc_param_value_len);
> +
> + switch (svc_param_key) {
> + case SVC_PARAM_MANDATORY:
> + INSIST(val_region.length % 2 == 0);
> + RETERR(isc_str_tobuffer("=", target));
> + while (val_region.length > 0) {
> + man_key = uint16_fromregion(&val_region);
> + isc_region_consume(&val_region, 2);
> + RETERR(isc_str_tobuffer(svc_param_key_to_text(
> + man_key), target));
> + if (val_region.length != 0)
> + RETERR(isc_str_tobuffer(",", target));
> + }
> + break;
> + case SVC_PARAM_ALPN:
> + RETERR(isc_str_tobuffer("=\"", target));
> + while (val_region.length > 0) {
> + txt_totext(&val_region, 0, target);
> + if (val_region.length != 0)
> + RETERR(isc_str_tobuffer(",", target));
> + }
> + RETERR(isc_str_tobuffer("\"", target));
> + break;
> + case SVC_PARAM_NO_DEF_ALPN:
> + INSIST(val_region.length == 0);
> + break;
> + case SVC_PARAM_PORT:
> + INSIST(val_region.length == 2);
> + RETERR(isc_str_tobuffer("=", target));
> + port = uint16_fromregion(&val_region);
> + isc_region_consume(&val_region, 2);
> + snprintf(buf, sizeof buf, "%u", port);
> + RETERR(isc_str_tobuffer(buf, target));
> + break;
> + case SVC_PARAM_IPV4HINT:
> + INSIST(val_region.length % 4 == 0);
> + RETERR(isc_str_tobuffer("=", target));
> + while (val_region.length > 0) {
> + inet_ntop(AF_INET, val_region.base, buf,
> + sizeof buf);
> + RETERR(isc_str_tobuffer(buf, target));
> + isc_region_consume(&val_region, 4);
> + if (val_region.length != 0)
> + RETERR(isc_str_tobuffer(",", target));
> + }
> + break;
> + case SVC_PARAM_ECH:
> + RETERR(isc_str_tobuffer("=", target));
> + RETERR(isc_base64_totext(&val_region, 0, "", target));
> + break;
> + case SVC_PARAM_IPV6HINT:
> + INSIST(val_region.length % 16 == 0);
> + RETERR(isc_str_tobuffer("=", target));
> + while (val_region.length > 0) {
> + inet_ntop(AF_INET6, val_region.base, buf,
> + sizeof buf);
> + RETERR(isc_str_tobuffer(buf, target));
> + isc_region_consume(&val_region, 16);
> + if (val_region.length != 0)
> + RETERR(isc_str_tobuffer(",", target));
> + }
> + break;
> + case SVC_PARAM_DOHPATH:
> + RETERR(isc_str_tobuffer("=", target));
> + RETERR(multitxt_totext(&val_region, target));
> + break;
> + default:
> + RETERR(isc_str_tobuffer("=", target));
> + RETERR(multitxt_totext(&val_region, target));
> + break;
> + }
> + }
> + return (ISC_R_SUCCESS);
> +}
> +
> +static inline isc_result_t
> +totext_in_svcb(ARGS_TOTEXT) {
> + REQUIRE(rdata->type == dns_rdatatype_svcb);
> + REQUIRE(rdata->rdclass == dns_rdataclass_in);
> + REQUIRE(rdata->length != 0);
> +
> + return (totext_in_svcb_https(rdata, tctx, target));
> +}
> +
> +static inline isc_result_t
> +fromwire_in_svcb_https(ARGS_FROMWIRE) {
> + dns_name_t name;
> + isc_region_t sr;
> + unsigned int svc_param_value_len;
> + int alias_mode = 0;
> +
> + UNUSED(type);
> + UNUSED(rdclass);
> +
> + dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
> +
> + dns_name_init(&name, NULL);
> +
> + /*
> + * SvcPriority.
> + */
> + isc_buffer_activeregion(source, &sr);
> + if (sr.length < 2)
> + return (ISC_R_UNEXPECTEDEND);
> + RETERR(isc_mem_tobuffer(target, sr.base, 2));
> + alias_mode = uint16_fromregion(&sr) == 0;
> + isc_buffer_forward(source, 2);
> +
> + /*
> + * TargetName.
> + */
> + RETERR(dns_name_fromwire(&name, source, dctx, options, target));
> + if (alias_mode) {
> + /*
> + * In AliasMode, recipients MUST ignore any SvcParams that
> + * are present.
> + */
> + return (ISC_R_SUCCESS);
> + }
> +
> + isc_buffer_activeregion(source, &sr);
> + while (sr.length > 0) {
> + /*
> + * SvcParamKey.
> + */
> + if (sr.length < 2)
> + return (ISC_R_UNEXPECTEDEND);
> +
> + RETERR(isc_mem_tobuffer(target, sr.base, 2));
> + isc_region_consume(&sr, 2);
> + isc_buffer_forward(source, 2);
> +
> + /*
> + * SvcParamValue length.
> + */
> + if (sr.length < 2)
> + return (ISC_R_UNEXPECTEDEND);
> +
> + RETERR(isc_mem_tobuffer(target, sr.base, 2));
> + svc_param_value_len = uint16_fromregion(&sr);
> + isc_region_consume(&sr, 2);
> + isc_buffer_forward(source, 2);
> +
> + if (sr.length < svc_param_value_len)
> + return (ISC_R_UNEXPECTEDEND);
> +
> + RETERR(isc_mem_tobuffer(target, sr.base, svc_param_value_len));
> + isc_region_consume(&sr, svc_param_value_len);
> + isc_buffer_forward(source, svc_param_value_len);
> + }
> +
> + return (ISC_R_SUCCESS);
> +}
> +
> +static inline isc_result_t
> +fromwire_in_svcb(ARGS_FROMWIRE) {
> + REQUIRE(type == dns_rdatatype_svcb);
> + REQUIRE(rdclass == dns_rdataclass_in);
> + return (fromwire_in_svcb_https(rdclass, type, source, dctx, options,
> + target));
> +}
> +
> +static inline isc_result_t
> +towire_in_svcb_https(ARGS_TOWIRE) {
> + dns_name_t name;
> + dns_offsets_t offsets;
> + isc_region_t sr;
> +
> + dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
> +
> + /*
> + * SvcPriority.
> + */
> + dns_rdata_toregion(rdata, &sr);
> + RETERR(isc_mem_tobuffer(target, sr.base, 2));
> + isc_region_consume(&sr, 2);
> +
> + /*
> + * TargetName.
> + */
> + dns_name_init(&name, offsets);
> + dns_name_fromregion(&name, &sr);
> + RETERR(dns_name_towire(&name, cctx, target));
> + isc_region_consume(&sr, name_length(&name));
> +
> + /*
> + * SvcParams.
> + */
> + return (isc_mem_tobuffer(target, sr.base, sr.length));
> +}
> +
> +static inline isc_result_t
> +towire_in_svcb(ARGS_TOWIRE) {
> + REQUIRE(rdata->type == dns_rdatatype_svcb);
> + REQUIRE(rdata->length != 0);
> +
> + return (towire_in_svcb_https(rdata, cctx, target));
> +}
> +#endif /* RDATA_IN_1_SVCB_64_C */
>
>
> --
> I'm not entirely sure you are real.
>
