On Fri, Oct 30, 2020 at 03:04:03PM +0100, Florian Obser wrote:
Love it,
-Otto
> $ obj/dig @1.1.1.1 dnssec-failed.org
>
> ; <<>> dig 9.10.8-P1 <<>> @1.1.1.1 dnssec-failed.org
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26772
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ; EDE: 6 (DNSSEC Bogus)
> ;; QUESTION SECTION:
> ;dnssec-failed.org. IN A
>
> ;; Query time: 244 msec
> ;; SERVER: 1.1.1.1#53(1.1.1.1)
> ;; WHEN: Fri Oct 30 14:59:09 CET 2020
> ;; MSG SIZE rcvd: 52
>
> Since I'm not aware of a server/query combination that responds with
> UTF-8 encoded EXTENDED-TEXT I didn't implement anything special for
> this so it will use the default renderer that's also used for NSIDs,
> printing a hexdump + printable ascii, e.g.:
>
> $ dig @k.root-servers.net +nsid . soa
> [...]
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ; NSID: 6e 73 33 2e 6e 6c 2d 61 6d 73 2e 6b 2e 72 69 70 65 2e 6e 65 74
> ("ns3.nl-ams.k.ripe.net")
>
> OK?
>
> diff --git lib/dns/include/dns/message.h lib/dns/include/dns/message.h
> index 65ffcfd4c3f..a70720eee39 100644
> --- lib/dns/include/dns/message.h
> +++ lib/dns/include/dns/message.h
> @@ -104,6 +104,7 @@
> #define DNS_OPT_COOKIE 10 /*%< COOKIE opt code */
> #define DNS_OPT_PAD 12 /*%< PAD opt code */
> #define DNS_OPT_KEY_TAG 14 /*%< Key tag opt code */
> +#define DNS_OPT_EDE 15 /* RFC 8914 */
>
> /*%< The number of EDNS options we know about. */
> #define DNS_EDNSOPTIONS 4
> diff --git lib/dns/message.c lib/dns/message.c
> index 5e0fb167382..9721f9c0ef4 100644
> --- lib/dns/message.c
> +++ lib/dns/message.c
> @@ -2434,6 +2434,68 @@ render_ecs(isc_buffer_t *ecsbuf, isc_buffer_t *target)
> {
> return (ISC_R_SUCCESS);
> }
>
> +static const char *
> +ede_info_code2str(uint16_t info_code)
> +{
> + if (info_code > 49151)
> + return "Private Use";
> +
> + switch (info_code) {
> + case 0:
> + return "Other Error";
> + case 1:
> + return "Unsupported DNSKEY Algorithm";
> + case 2:
> + return "Unsupported DS Digest Type";
> + case 3:
> + return "Stale Answer";
> + case 4:
> + return "Forged Answer";
> + case 5:
> + return "DNSSEC Indeterminate";
> + case 6:
> + return "DNSSEC Bogus";
> + case 7:
> + return "Signature Expired";
> + case 8:
> + return "Signature Not Yet Valid";
> + case 9:
> + return "DNSKEY Missing";
> + case 10:
> + return "RRSIGs Missing";
> + case 11:
> + return "No Zone Key Bit Set";
> + case 12:
> + return "NSEC Missing";
> + case 13:
> + return "Cached Error";
> + case 14:
> + return "Not Ready";
> + case 15:
> + return "Blocked";
> + case 16:
> + return "Censored";
> + case 17:
> + return "Filtered";
> + case 18:
> + return "Prohibited";
> + case 19:
> + return "Stale NXDomain Answer";
> + case 20:
> + return "Not Authoritative";
> + case 21:
> + return "Not Supported";
> + case 22:
> + return "No Reachable Authority";
> + case 23:
> + return "Network Error";
> + case 24:
> + return "Invalid Data";
> + default:
> + return "Unassigned";
> + }
> +}
> +
> isc_result_t
> dns_message_pseudosectiontotext(dns_message_t *msg,
> dns_pseudosection_t section,
> @@ -2557,6 +2619,20 @@ dns_message_pseudosectiontotext(dns_message_t *msg,
> ADD_STRING(target, "\n");
> continue;
> }
> + } else if (optcode == DNS_OPT_EDE) {
> + uint16_t info_code;
> + ADD_STRING(target, "; EDE");
> + if (optlen >= 2) {
> + info_code =
> + isc_buffer_getuint16(&optbuf);
> + optlen -= 2;
> + snprintf(buf, sizeof(buf), ": %u (",
> + info_code);
> + ADD_STRING(target, buf);
> + ADD_STRING(target,
> + ede_info_code2str(info_code));
> + ADD_STRING(target, ")");
> + }
> } else {
> ADD_STRING(target, "; OPT=");
> snprintf(buf, sizeof(buf), "%u", optcode);
>
>
> --
> I'm not entirely sure you are real.
>
