Better DNSSEC proofs #2084
Better DNSSEC proofs #2084
Conversation
bluejekyll
force-pushed
the
better-dnssec-proofs
branch
2 times, most recently
from
97c72c5
to
644f381
Compare
bluejekyll
force-pushed
the
better-dnssec-proofs
branch
3 times, most recently
from
71348af
to
5f6eb28
Compare
|
Ok, I think this is ready. The big change here is that records are always returned on lookups now, rather than removing them from the response if they were unable to be verified. I haven't implemented this across all pub fn dnssec_iter(&self) -> DnssecIter<'_>;
pub fn dnssec_record_iter(&self) -> DnssecLookupRecordIter<'_>;This impl<'a> Iterator for DnssecIter<'a> {
type Item = Proven<&'a RData>;
...
}And then for a full Record if desired, the pub fn require_as_ref<I: Into<ProofFlags>>(&self, flags: I) -> Result<&T, Proof>;
pub fn require<I: Into<ProofFlags>>(self, flags: I) -> Result<T, Self>;The idea is that one would use the resolver as normal (switching on the configs for performing DNSSEC validation) and then use the dnssec iterators in order to ensure that they evaluate the DNSSEC status of the record before use, for example: let lookup = resolver.lookup("www.example.com", RecordType::A).unwrap();
for data in lookup.dnssec_iter() {
// Only evaluate the data if it was either proven to be `Secure` or `Insecure`,
// i.e. signed or a zone that's known to not be signed
let a = data.try_borrow(Proof::Secure | Proof::Insecure).unwrap();
// do something with the A record
...
}Now, a note based on my testing. It seems that upstream resolvers may not return On a similar line, we still don't have Overall, this was a big change, so I'm guessing there are other gaps. |
|
FYI, @kevincox, @teythoon, @moparisthebest, @wez, I think you've all expressed interest here. |
bluejekyll
force-pushed
the
better-dnssec-proofs
branch
from
2fbe7f0
to
82e26a9
Compare
|
Waiting on one interface discussion, otherwise, I think this is finally ready to land. |
|
@djc, I think I'd like to land this. We could squash the commit if you want to clean up the number of changes here... |
|
I think this merits a round of review before landing? Might take me a bit to get too, though. |
|
I wish there was a simple way to go back and clean up the PRs. There's some interfaces that ended up in there that I removed later, like |
You're aware of |
|
Yes, but it can be a lot of work to remove code, I can take a look and see. |
|
re: tidying up, if it proves to be too difficult to fixup the code in a commit without dealing with 20+ merge conflicts, you could just comment in the commit description to explain it. eg: if a commit was:
you could amend the description:
As an aside/slight plug: https://sapling-scm.com/ (to which I used to be a contributor) has some nice UX around dealing with a stack of commits. You can directly check out a commit from the stack, then amend it and it will automatically rebase the rest of the stack. Perhaps too late to help with this stack now, I wanted to mention that it has a killer absorb command that can intelligently amend code changes to appropriate commits (yes, plural!) in the stack in a single invocation. While sapling was built for FB's fork of Mercurial, it also works on Git repositories. If you find yourself regularly dealing with big stacks like this, I think it is worth evaluating. I think my personal record was ~100 commits in a stack and refactoring that thing after review feedback was surprisingly manageable. If you like the idea of absorb, but don't or can't use sapling for whatever reason, it looks like someone has ported that concept to git over in https://github.com/tummychow/git-absorb. I don't know how well this particular implementation works. |
|
I often use git-absorb, works well in all the straightforward cases! (From the Google side of the fence there's also jujutsu which I think fits in the same general category as sapling.) |
|
I'm not going to have time to go back through the commits. I'd love to try and get this landed though, so let me know what I can do to help. |
bluejekyll
force-pushed
the
better-dnssec-proofs
branch
from
03a76ef
to
5c21ed0
Compare
bluejekyll
force-pushed
the
better-dnssec-proofs
branch
2 times, most recently
from
d8fc7a7
to
ea798f8
Compare
|
ok, I finally had a moment to clean up that unnecessary stuff. I think this is ready to go, sorry for the largish change, let me know if you want me to simplify this by squashing some of the commits. |
|
@djc any comments on this PR? I'd really like this to be landed before more DNSSEC changes start coming in. |
bluejekyll
force-pushed
the
better-dnssec-proofs
branch
from
ea798f8
to
3d38ef2
Compare
|
(This is on my radar -- it's been very busy -- sorry I haven't gotten to it.) |
bluejekyll
force-pushed
the
better-dnssec-proofs
branch
from
3d38ef2
to
ea69dc1
Compare
|
@djc, I'm going to merge this as we have other work coming into the project in this area now that this should really land in support of. If you can come back to this and review, I can put up a PR to resolve those issues. |
bluejekyll
force-pushed
the
better-dnssec-proofs
branch
from
ea69dc1
to
4c1357e
Compare
I've taken an initial stab at cleaning up the DNSSEC validation and move to associating a Proof to each record. This differs a little bit from what was discussed in #1708 as I think this might be the best option.
This adds a
Proofenum that has theSecure,Bogus,Insecure, andIndeterminateas members.Once validated it associates that proof to the
Record, there's more cleanup here as we only supportSecurerecords being returned at the moment, and even though we can detectBogus, it's returned as anErrorright now, which I think we decided we want to move away from.I still need to add the
Insecurepath, but before I do that I wanted to see if anyone wanted to offer early feedback. Also, I want to reduce more cloning. I was able to remove quite a bit that was still there from before async/await was finalized. I think there's more yet that can be done.Fixes: #1708
Fixes: #2095
Fixes: #1650