Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EDNS0 padding support in auth #15009

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

EDNS0 padding support in auth #15009

wants to merge 5 commits into from

Conversation

miodvallat
Copy link
Contributor

@miodvallat miodvallat commented Jan 3, 2025
edited
Loading

Short description

Even though the auth<->recursor communication can probably be considered trustworthy, the auth server should nevertheless respond to queries containing the EDNS0 padding option with a similarly padded response. This PR achieves this.

(still marked as draft as I need to work on tests - I only checked the output of simple dig queries with and without +padding=128)

Checklist

I have:

  • read the CONTRIBUTING.md document
  • compiled this code
  • tested this code
  • included documentation (including possible behaviour changes)
  • documented the code
  • added or modified regression test(s)
  • added or modified unit test(s)

@miodvallat miodvallat added the auth label Jan 3, 2025
@coveralls
Copy link

coveralls commented Jan 3, 2025
edited
Loading

Pull Request Test Coverage Report for Build 12667063404

Details

  • 9 of 21 (42.86%) changed or added relevant lines in 3 files are covered.
  • 37 unchanged lines in 11 files lost coverage.
  • Overall coverage decreased (-0.01%) to 64.815%
Changes Missing Coverage Covered Lines Changed/Added Lines %
pdns/dnspacket.cc 5 17 29.41%
Files with Coverage Reduction New Missed Lines %
modules/godbcbackend/sodbc.cc 2 70.8%
ext/json11/json11.cpp 2 62.72%
pdns/sstuff.hh 2 56.83%
pdns/backends/gsql/gsqlbackend.hh 2 97.71%
pdns/recursordist/test-syncres_cc2.cc 3 88.85%
pdns/stubresolver.cc 3 77.58%
pdns/misc.cc 3 64.57%
pdns/iputils.cc 3 54.99%
pdns/recursordist/recpacketcache.hh 3 89.55%
pdns/recursordist/test-syncres_cc1.cc 7 89.26%
Totals Coverage Status
Change from base Build 12652818968: -0.01%
Covered Lines: 126128
Relevant Lines: 163823
💛 - Coveralls

github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 6, 2025
View reviewed changes
pdns/ednspadding.hh Fixed Show fixed Hide fixed
@miodvallat miodvallat marked this pull request as ready for review January 8, 2025 08:07
@miodvallat
Fix RFC 8467 number.
f8c2486 
Note that the typoed number (8647) was never issued as an RFC, so we
might want to pretend it was our doing, so as not to make these comments
too wrong.
@miodvallat
Prepare for more binaries needing ednspadding.cc
f38c75e
@miodvallat
Implement EDNS0 padding in auth responses.
60ab638 
When constructing the response to a query with EDNS0 padding set, keep
this in mind and build proper EDNS0 padding in the response packet.
@miodvallat
Move padding constants to their own namespace.
d6a9e63
@miodvallat
Crude tests for EDNS padding.
3bdc59d
Habbie
Habbie reviewed Jan 13, 2025
View reviewed changes
Copy link
Member

@Habbie Habbie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seems to work, including packet cache handling! However, this needs configurability. I think allowing it by default on TCP is fine, but for UDP users should have control in some way.

@miodvallat
Copy link
Contributor Author

Recursor uses a edns-padding-out option. How about edns-padding-udp? Note that this will have no effect if incoming queries are not sent with EDNS padding enabled.

@Habbie
Copy link
Member

Habbie commented Jan 13, 2025

Recursor uses a edns-padding-out option. How about edns-padding-udp? Note that this will have no effect if incoming queries are not sent with EDNS padding enabled.

Recursor's edns-padding-from seems like an important inspiration, because it would allow a user to (with some care) separate "traffic that is going over an encrypted channel via dnsdist" from "actual UDP packets from the Internet".

The problem we're solving, I think, is that we don't want spoofed UDP queries to be able to get padded responses.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Habbie Habbie Habbie left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
auth needs review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@miodvallat @coveralls @Habbie