On 2014-05-16, Peter J. Philipp <[email protected]> wrote:
> Hi,
>
> While working on putting notify (RFC 1996) support into my DNS server, I
> came across this puzzling output (with OpenBSD's tcpdump):
>
> 10:14:48.292789 192.168.34.5.26837 > 192.168.35.1.53: [udp sum ok] 48054
> notify [b2&3=0x2400] SOA? centroid.eu. (29) (ttl 64, id 4395, len 57)
>
> Notice the b2&3=0x2400. It struck me as odd so I googled and found a
> patch for tcpdump that perhaps OpenBSD is interested in?
>
> http://marc.info/?l=tcpdump-patches&m=98115734907026&w=2
>
> Regards,
>
> -peter
>
The equivalent for our tree would be this (tested on BE and LE).
Any OKs? (I note that tcpdump.org haven't taken it, though that doesn't
mean anything in itself)..
Index: nameser.h
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/nameser.h,v
retrieving revision 1.6
diff -u -p -r1.6 nameser.h
--- nameser.h 4 Nov 2010 17:37:05 -0000 1.6
+++ nameser.h 16 May 2014 15:33:12 -0000
@@ -82,6 +82,8 @@
#if 0
#define xxx 0x3 /* 0x3 reserved */
#endif
+#define NS_NOTIFY_OP 0x4 /* notify secondary of SOA change */
+
/* non standard - supports ALLOW_UPDATES stuff from Mike Schwartz */
#define UPDATEA 0x9 /* add resource record */
#define UPDATED 0xa /* delete a specific resource
record */
Index: print-domain.c
===================================================================
RCS file: /cvs/src/usr.sbin/tcpdump/print-domain.c,v
retrieving revision 1.18
diff -u -p -r1.18 print-domain.c
--- print-domain.c 4 Nov 2010 17:37:05 -0000 1.18
+++ print-domain.c 16 May 2014 15:33:12 -0000
@@ -663,9 +663,10 @@ ns_print(register const u_char *bp, u_in
DNS_RD(np) ? "+" : "",
DNS_CD(np) ? "%" : "");
- /* any weirdness? */
+ /* any weirdness? AA is expected in NOTIFY. */
b2 = EXTRACT_16BITS(((u_short *)np)+1);
- if (b2 & 0x6cf)
+ if ((b2 & 0x6cf) !=
+ (DNS_OPCODE(np) == NS_NOTIFY_OP ? 0x400 : 0))
printf(" [b2&3=0x%x]", b2);
if (DNS_OPCODE(np) == IQUERY) {
