New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Better DNSSEC proofs #2084
Better DNSSEC proofs #2084
Conversation
97c72c5
to
644f381
Compare
71348af
to
5f6eb28
Compare
Ok, I think this is ready. The big change here is that records are always returned on lookups now, rather than removing them from the response if they were unable to be verified. I haven't implemented this across all pub fn dnssec_iter(&self) -> DnssecIter<'_>;
pub fn dnssec_record_iter(&self) -> DnssecLookupRecordIter<'_>; This impl<'a> Iterator for DnssecIter<'a> {
type Item = Proven<&'a RData>;
...
} And then for a full Record if desired, the pub fn require_as_ref<I: Into<ProofFlags>>(&self, flags: I) -> Result<&T, Proof>;
pub fn require<I: Into<ProofFlags>>(self, flags: I) -> Result<T, Self>; The idea is that one would use the resolver as normal (switching on the configs for performing DNSSEC validation) and then use the dnssec iterators in order to ensure that they evaluate the DNSSEC status of the record before use, for example: let lookup = resolver.lookup("www.example.com", RecordType::A).unwrap();
for data in lookup.dnssec_iter() {
// Only evaluate the data if it was either proven to be `Secure` or `Insecure`,
// i.e. signed or a zone that's known to not be signed
let a = data.try_borrow(Proof::Secure | Proof::Insecure).unwrap();
// do something with the A record
...
} Now, a note based on my testing. It seems that upstream resolvers may not return On a similar line, we still don't have Overall, this was a big change, so I'm guessing there are other gaps. |
FYI, @kevincox, @teythoon, @moparisthebest, @wez, I think you've all expressed interest here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm excited to see this!
I not familiar enough with most of the implementation to comment on that, but I do have some feedback on the proof/proven stuff.
2fbe7f0
to
82e26a9
Compare
Waiting on one interface discussion, otherwise, I think this is finally ready to land. |
@djc, I think I'd like to land this. We could squash the commit if you want to clean up the number of changes here... |
I think this merits a round of review before landing? Might take me a bit to get too, though. |
I wish there was a simple way to go back and clean up the PRs. There's some interfaces that ended up in there that I removed later, like |
You're aware of |
Yes, but it can be a lot of work to remove code, I can take a look and see. |
re: tidying up, if it proves to be too difficult to fixup the code in a commit without dealing with 20+ merge conflicts, you could just comment in the commit description to explain it. eg: if a commit was:
you could amend the description:
As an aside/slight plug: https://sapling-scm.com/ (to which I used to be a contributor) has some nice UX around dealing with a stack of commits. You can directly check out a commit from the stack, then amend it and it will automatically rebase the rest of the stack. Perhaps too late to help with this stack now, I wanted to mention that it has a killer absorb command that can intelligently amend code changes to appropriate commits (yes, plural!) in the stack in a single invocation. While sapling was built for FB's fork of Mercurial, it also works on Git repositories. If you find yourself regularly dealing with big stacks like this, I think it is worth evaluating. I think my personal record was ~100 commits in a stack and refactoring that thing after review feedback was surprisingly manageable. If you like the idea of absorb, but don't or can't use sapling for whatever reason, it looks like someone has ported that concept to git over in https://github.com/tummychow/git-absorb. I don't know how well this particular implementation works. |
I often use git-absorb, works well in all the straightforward cases! (From the Google side of the fence there's also jujutsu which I think fits in the same general category as sapling.) |
I'm not going to have time to go back through the commits. I'd love to try and get this landed though, so let me know what I can do to help. |
03a76ef
to
5c21ed0
Compare
d8fc7a7
to
ea798f8
Compare
ok, I finally had a moment to clean up that unnecessary stuff. I think this is ready to go, sorry for the largish change, let me know if you want me to simplify this by squashing some of the commits. |
@djc any comments on this PR? I'd really like this to be landed before more DNSSEC changes start coming in. |
ea798f8
to
3d38ef2
Compare
(This is on my radar -- it's been very busy -- sorry I haven't gotten to it.) |
3d38ef2
to
ea69dc1
Compare
@djc, I'm going to merge this as we have other work coming into the project in this area now that this should really land in support of. If you can come back to this and review, I can put up a PR to resolve those issues. |
ea69dc1
to
4c1357e
Compare
I've taken an initial stab at cleaning up the DNSSEC validation and move to associating a Proof to each record. This differs a little bit from what was discussed in #1708 as I think this might be the best option.
This adds a
Proof
enum that has theSecure
,Bogus
,Insecure
, andIndeterminate
as members.Once validated it associates that proof to the
Record
, there's more cleanup here as we only supportSecure
records being returned at the moment, and even though we can detectBogus
, it's returned as anError
right now, which I think we decided we want to move away from.I still need to add the
Insecure
path, but before I do that I wanted to see if anyone wanted to offer early feedback. Also, I want to reduce more cloning. I was able to remove quite a bit that was still there from before async/await was finalized. I think there's more yet that can be done.Fixes: #1708
Fixes: #2095
Fixes: #1650