Add support for OPENPGPKEY RRTYPE. #2354
Conversation
OPENPGPKEY is defined in draft-ietf-dane-openpgpkey. The IANA has assigned RRTYPE 61. Its content is a single binary blob, its presentation is a single hex blob. Thanks to Aki Tuomi, JP Mens and Peter van Dijk for bug reports and insights. Signed-off-by: James Cloos <cloos@jhcloos.com>
|
Doc says 'since 3.0', which should probably be 3.5.0 |
|
|
|
And finally, did you actually test this? |
Specify an accurate version in the ‘Since’ tag. Signed-off-by: James Cloos <cloos@jhcloos.com>
Yes. I wasn't sure what the next version would be, exactly, and forgot Updated to 3.5.0 per that suggestion. -JimCJames Cloos cloos@jhcloos.com OpenPGP: 0x997A9F17ED7DAEA6 |
Signed-off-by: James Cloos <cloos@jhcloos.com>
PD> Do you perfer something like d_keyring? The draft says: ,---- -JimCJames Cloos cloos@jhcloos.com OpenPGP: 0x997A9F17ED7DAEA6 |
PvD> And finally, did you actually test this? Yes. I copied my existing db over to a test box, replaced my TYPE61 row -JimCJames Cloos cloos@jhcloos.com OpenPGP: 0x997A9F17ED7DAEA6 |
|
Yes, d_keyring sounds fine! If you change to d_keyring, and Travis passes again, I'm happy to merge this. |
|
Please provide test-dnsrecords_cc.cc test suite! =) |
|
@cmouse that is actually a fair point! |
AT> Please provide test-dnsrecords_cc.cc test suite! =) That will take some time to generate. I was hoping it could be done in I'll need to generate some keys of various sizes for the tests. Are there any objections to using names @powerdns.org for them? -JimCJames Cloos cloos@jhcloos.com OpenPGP: 0x997A9F17ED7DAEA6 |
|
Well, sure, but the test suite in test-dnsrecords_cc.cc only tests for parseability, not key validity. Anything goes as long as it's syntaxically valid. If you want to make regression-tests to ensure that keys are really valid and work, that's another thing. |
|
I would like 'parses fine' for test-dnsrecords_cc.cc in this pull if we can. I would love to have a deeper test in another pull later! |
Signed-off-by: James Cloos <cloos@jhcloos.com>
|
So is something like: enough, then? If so, I pushed one like that but with a real keyring (albeit w/o xtra (What does the bool in signify?) -JimCJames Cloos cloos@jhcloos.com OpenPGP: 0x997A9F17ED7DAEA6 |
|
When the bool is set to 'true', this signifies that we know this test is currently failing, and tolerate that with a warning. Please keep yours on false if you can. This test looks fine; perhaps also add one with embedded whitespace (assuming the draft allows this; it should! if not, file a bug with the draft!). With those two tests in place, I think I'm happy to merge this! |
|
Build failed. Did you test this one locally, including the test? (it involves passing |
|
I just noticed that I misread one aspect of the draft. The presentation is base64, not hex. (I must have gotten hex in my head from the raw TYPE61 format.) I'll have to re-do it again. -JimCJames Cloos cloos@jhcloos.com OpenPGP: 0x997A9F17ED7DAEA6 |
Also add a test which has whitespace within the tested presentation. Signed-off-by: James Cloos <cloos@jhcloos.com>
|
One of those failures is due to the spaces. Does conv.xfrHexBlob() ignore spaces when converting the b64 For the test with spaces in the base64, does it require CASE_L, with and I presume the other fail is that I put in incomplete wire data. I take -JimCJames Cloos cloos@jhcloos.com OpenPGP: 0x997A9F17ED7DAEA6 |
|
It seems to me support for OPENPGPKEY support would be incomplete with this patch. It is missing a critical part of the implementation of OPENPGPKEY record support: Because of how easily the size of this record type can grow it's considered a possible of DDOS amplification attacks. It is strongly recommended to never respond to a request from an unverified source. In practice this means for UDP: Which means that way the data is always send over TCP. ( I know about this because I was listening to the audio recording of the ICANN52 DNSSEC workshop and Paul Wouters mentioned it: http://singapore52.icann.org/en/schedule/wed-dnssec at 3 hours, 19 min. and 26 sec. ) |
|
@Lennie this section is a recommendation, by no means a mandatory part of the specification. |
|
Pieter I hope you can see how it is important to still add this to be a good netizen. How complicated would it be (I don't remember enough of the code to know this from the top of my head) ? |
|
It is not trivial. Basically you're adding a special case that sets TC=1 when qtype matches to special list. You could do this with Lua filter if this is important now. |
| @@ -93,7 +96,7 @@ Since 2.9.21. The SSHFP record type, used for storing Secure Shell (SSH) fingerp | |||
| SRV records can be used to encode the location and port of services on a domain name. When encoding, the priority field is used to encode the priority. For example, '\_ldap.\_tcp.dc.\_msdcs.conaxis.ch SRV 0 100 389 mars.conaxis.ch' would be encoded with 0 in the priority field and '100 389 mars.conaxis.ch' in the content field. | |||
|
|
|||
| ## TLSA | |||
| Since 3.0. The TLSA record, specified in [RFC 6698](http://tools.ietf.org/html/rfc6698), are used to bind SSL/TLS certificate to named hosts and ports. | |||
| Since 3.0. The TLSA records, specified in [RFC 6698](http://tools.ietf.org/html/rfc6698), are used to bind SSL/TLS certificate to named hosts and ports. | |||
There was a problem hiding this comment.
This change is not related to your feature, please rever it.
Note that the OPENPGPKEY draft appears to have stalled, and is generally undeployable in its current form - we are not yet sure we want to merge this if the draft has the potential to just expire. Thank you! |
|
closing, will create a ticket |
OPENPGPKEY is defined in draft-ietf-dane-openpgpkey.
The IANA has assigned RRTYPE 61.
Its content is a single binary blob, its presentation is a single hex blob.
Thanks to Aki Tuomi, JP Mens and Peter van Dijk for bug reports and insights.
Signed-off-by: James Cloos cloos@jhcloos.com