Re: [Dnspython-users] FormError instead of NoAnswer?

Fri, 15 Jun 2012 04:28:55 -0700 

Am 15.06.2012 um 11:58 schrieb Ralf Weber:

> Moin!
> 
> On 15.06.2012, at 11:33, Axel Rau wrote:
>> I'm getting FormError while querying for a DNSKEY which does not exists.
>> dig gives a NoAnswer:
>> ---
>> dig +dnssec DNSKEY  example.com. @127.0.0.1
>> ...
>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>> ...
>> ---
>> My DNSpython script gets FormError instead:
>> ---
>>   zone = dns.zone.from_xfr(dns.query.xfr(s, self.name, relativize=False, 
>> lifetime=30.0), relativize=False)
>>   my_covers = dns.rdatatype.DNSKEY        # DNSKEYs signed by KSK
>>   rds = zone.find_rrset(self.name + '.', 'RRSIG', covers=my_covers)
>> 
>>   for rrsig_rdata in rds.items:
>>       key_tag = rrsig_rdata.key_tag
>> ---
>> ...gives:  <class 'dns.exception.FormError'>
>> 
>> What may be wrong here?
> 
> You are doing different things.
Yes.
> Your dig just queries for the DNSKEY RRSet, while your python code does a 
> zone transfer. So either do:
>       dig +dnssec axfr example.com. @127.0.0.1
Which returns no FormErr:
---
;; XFR size: 27 records (messages 1, bytes 4610)
---
> or use the following:
>       q = dns.message.make_query ('example.com', dns.rdatatype.DNSKEY, 
> want_dnssec=True)
>       keyanswer = dns.query.tcp (q, '127.0.0.1', 5)
>       for rdata in keyanswer.answer:
>           for item in rdata.items:
>       ....
> which probably more what you want.
This was my 1st approach, but I did not succeed getting the key tag of the 
RRSIG. The above snippet continues (sorry for the omission):
---
for rrsig_rdata in rds.items:
    key_tag = rrsig_rdata.key_tag
    l.logDebug('test_if_included(key_type, secondKey) matching keytag: %s == 
%s' % (key_tag, self.keytag))
    if key_tag == self.keytag:
---
I would be happy to replace the axfr by a query. Any proposal?
> Note that I use DNS over tcp for all my DNSKEY checking as the DNSKEY is the 
> most likely to have problem with  large packet sizes. You also could use 
> query.udp, but than would have to set use_edns and create the appropriate 
> edns values for the connection between you and the authoritative server.
Thanks for the advice,

Axel
---
PGP-Key:29E99DD6  ☀ +49 151 2300 9283  ☀ computing @ chaos claudius

_______________________________________________
dnspython-users mailing list
[email protected]
http://howl.play-bow.org/mailman/listinfo/dnspython-users

Reply via email to